release: 2021.3.1-rc2

Merge branch 'master' into version-2021.3
# Conflicts: # web/src/constants.ts
2021-03-02 21:41:30 +01:00 · 2021-03-02 21:39:30 +01:00 · 2021-03-02 21:26:31 +01:00 · 2021-03-02 21:16:14 +01:00 · 2021-03-02 21:16:03 +01:00 · 2021-03-02 21:05:02 +01:00
1656 changed files with 104968 additions and 206400 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,44 +1,36 @@
 [bumpversion]
-current_version = 0.0.8-alpha
+current_version = 2021.3.1-rc2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
 serialize = {major}.{minor}.{patch}-{release}
-message = bump version: {current_version} -> {new_version}
+message = release: {new_version}
 tag_name = version/{new_version}

 [bumpversion:part:release]
 optional_value = stable
+first_value = beta
 values = 
 	alpha
 	beta
 	stable

-[bumpversion:file:helm/passbook/Chart.yaml]
+[bumpversion:file:website/docs/installation/docker-compose.md]

-[bumpversion:file:.gitlab-ci.yml]
+[bumpversion:file:website/docs/installation/kubernetes.md]

-[bumpversion:file:passbook/__init__.py]
+[bumpversion:file:docker-compose.yml]

-[bumpversion:file:passbook/api/__init__.py]
+[bumpversion:file:helm/values.yaml]

-[bumpversion:file:passbook/core/__init__.py]
+[bumpversion:file:helm/README.md]

-[bumpversion:file:passbook/admin/__init__.py]
+[bumpversion:file:helm/Chart.yaml]

-[bumpversion:file:passbook/captcha_factor/__init__.py]
+[bumpversion:file:.github/workflows/release.yml]

-[bumpversion:file:passbook/oauth_client/__init__.py]
+[bumpversion:file:authentik/__init__.py]

-[bumpversion:file:passbook/ldap/__init__.py]
-
-[bumpversion:file:passbook/lib/__init__.py]
-
-[bumpversion:file:passbook/saml_idp/__init__.py]
-
-[bumpversion:file:passbook/audit/__init__.py]
-
-[bumpversion:file:passbook/oauth_provider/__init__.py]
-
-[bumpversion:file:passbook/otp/__init__.py]
+[bumpversion:file:outpost/pkg/version.go]

+[bumpversion:file:web/src/constants.ts]
--- a/.coveragerc
+++ b/.coveragerc
@ -1,35 +0,0 @@
-[run]
-source = passbook
-omit =
-    env/
-    */wsgi.py
-    manage.py
-    */migrations/*
-    */apps.py
-    passbook/management/commands/nexus_upload.py
-    passbook/management/commands/web.py
-    passbook/management/commands/worker.py
-    docs/
-
-[report]
-sort = Cover
-skip_covered = True
-precision = 2
-exclude_lines =
-  pragma: no cover
-
-    # Don't complain about missing debug-only code:
-    def __unicode__
-    def __str__
-    def __repr__
-    if self\.debug
-
-    # Don't complain if tests don't hit defensive assertion code:
-    raise AssertionError
-    raise NotImplementedError
-
-    # Don't complain if non-runnable code isn't run:
-    if 0:
-    if __name__ == .__main__.:
-
-show_missing = True
--- a/.dockerignore
+++ b/.dockerignore
@ -1,4 +1,6 @@
 env
 helm
-passbook-ui
 static
+htmlcov
+*.env.yml
+**/node_modules
--- a/.editorconfig
+++ b/.editorconfig
@ -9,3 +9,6 @@ insert_final_newline = true

 [html]
 indent_size = 2
+
+[yaml]
+indent_size = 2
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1 @@
+github: [BeryJu]
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,34 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Output of docker-compose logs or kubectl logs respectively
+
+**Version and Deployment (please complete the following information):**
+ - authentik version: [e.g. 0.10.0-stable]
+ - Deployment: [e.g. docker-compose, helm]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,50 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/outpost"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
+- package-ecosystem: npm
+  directory: "/web"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
+- package-ecosystem: npm
+  directory: "/website"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
+- package-ecosystem: docker
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
+- package-ecosystem: docker
+  directory: "/outpost"
+  schedule:
+    interval: daily
+    time: "04:00"
+  open-pull-requests-limit: 10
+  assignees:
+  - BeryJu
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,111 @@
+name: authentik-on-release
+
+on:
+  release:
+    types: [published, created]
+
+jobs:
+  # Build
+  build-server:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: docker build
+          --no-cache
+          -t beryju/authentik:2021.3.1-rc2
+          -t beryju/authentik:latest
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/authentik:2021.3.1-rc2
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/authentik:latest
+  build-proxy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "^1.15"
+      - name: prepare go api client
+        run: |
+          cd outpost
+          go get -u github.com/go-swagger/go-swagger/cmd/swagger
+          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
+          go build -v .
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: |
+          cd outpost/
+          docker build \
+          --no-cache \
+          -t beryju/authentik-proxy:2021.3.1-rc2 \
+          -t beryju/authentik-proxy:latest \
+          -f proxy.Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/authentik-proxy:2021.3.1-rc2
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/authentik-proxy:latest
+  build-static:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Docker Login Registry
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
+      - name: Building Docker Image
+        run: |
+          cd web/
+          docker build \
+          --no-cache \
+          -t beryju/authentik-static:2021.3.1-rc2 \
+          -t beryju/authentik-static:latest \
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/authentik-static:2021.3.1-rc2
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/authentik-static:latest
+  test-release:
+    needs:
+      - build-server
+      - build-static
+      - build-proxy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Run test suite in final docker images
+        run: |
+          sudo apt-get install -y pwgen
+          echo "PG_PASS=$(pwgen 40 1)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(pwgen 50 1)" >> .env
+          docker-compose pull -q
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+  sentry-release:
+    needs:
+      - test-release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Create a Sentry.io release
+        uses: tclindner/sentry-releases-action@v1.2.0
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_ORG: beryjuorg
+          SENTRY_PROJECT: authentik
+          SENTRY_URL: https://sentry.beryju.org
+        with:
+          tagName: 2021.3.1-rc2
+          environment: beryjuorg-prod
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@ -0,0 +1,63 @@
+name: authentik-on-tag
+
+on:
+  push:
+    tags:
+    - 'version/*'
+
+jobs:
+  build:
+    name: Create Release from Tag
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Pre-release test
+        run: |
+          sudo apt-get install -y pwgen
+          echo "AUTHENTIK_TAG=latest" >> .env
+          echo "PG_PASS=$(pwgen 40 1)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(pwgen 50 1)" >> .env
+          docker-compose pull -q
+          docker build \
+            --no-cache \
+            -t beryju/authentik:latest \
+            -f Dockerfile .
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+      - name: Install Helm
+        run: |
+          apt update && apt install -y curl
+          curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+      - name: Helm package
+        run: |
+          helm dependency update helm/
+          helm package helm/
+          mv authentik-*.tgz authentik-chart.tgz
+      - name: Extract version number
+        id: get_version
+        uses: actions/github-script@0.2.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ steps.get_version.outputs.result }}
+          draft: true
+          prerelease: false
+      - name: Upload packaged Helm Chart
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1.0.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./authentik-chart.tgz
+          asset_name: authentik-chart.tgz
+          asset_content_type: application/gzip
--- a/.gitignore
+++ b/.gitignore
@ -27,12 +27,12 @@ media
 .Python
 build/
 develop-eggs/
-dist/
 downloads/
 eggs/
 .eggs/
 lib64/
 parts/
+dist/
 sdist/
 var/
 wheels/
@ -63,6 +63,7 @@ coverage.xml
 *.cover
 .hypothesis/
 .pytest_cache/
+unittest.xml

 # Translations
 *.mo
@ -184,10 +185,20 @@ dmypy.json
 [Ii]nclude
 [Ll]ib64
 [Ll]ocal
-[Ss]cripts
 pyvenv.cfg
 pip-selfcheck.json

 # End of https://www.gitignore.io/api/python,django
 /static/
 local.env.yml
+.vscode/
+
+### Helm ###
+# Chart dependencies
+**/charts/*.tgz
+
+# Selenium Screenshots
+selenium_screenshots/
+backups/
+media/
+*mmdb
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,140 +0,0 @@
-# Global Variables
-before_script:
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
-stages:
-  - test
-  - build
-  - docs
-image: python:3.6
-services:
-  - postgres:latest
-
-variables:
-  POSTGRES_DB: passbook
-  POSTGRES_USER: passbook
-  POSTGRES_PASSWORD: 'EK-5jnKfjrGRm<77'
-  SUPERVISR_ENV: ci
-
-include:
-  - /allauth/.gitlab-ci.yml
-
-isort:
-  script:
-    - isort -c -sg env
-  stage: test
-migrations:
-  script:
-    - python manage.py migrate
-  stage: test
-prospector:
-  script:
-    - prospector
-  stage: test
-pylint:
-  script:
-    - pylint passbook
-  stage: test
-coverage:
-  script:
-    - coverage run manage.py test
-    - coverage report
-  stage: test
-bandit:
-  script:
-    - bandit -r passbook
-  stage: test
-
-package-docker:
-  image:
-    name: gcr.io/kaniko-project/executor:debug
-    entrypoint: [""]
-  before_script:
-    - echo "{\"auths\":{\"https://docker.$NEXUS_URL/\":{\"username\":\"$NEXUS_USER\",\"password\":\"$NEXUS_PASS\"}}}" > /kaniko/.docker/config.json
-  script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.pkg.beryju.org/passbook:latest --destination docker.pkg.beryju.org/passbook:0.0.8-alpha
-  stage: build
-  only:
-    - tags
-    - /^version/.*$/
-package-helm:
-  stage: build
-  script:
-    - curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
-    - helm init --client-only
-    - helm package helm/passbook
-    - ./manage.py nexus_upload --method put --url $NEXUS_URL --user $NEXUS_USER --password $NEXUS_PASS --repo helm *.tgz
-  only:
-    - tags
-    - /^version/.*$/
-# package-3.5:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.5 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.5*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#   - tags
-#   - /^debian/.*$/
-# package-3.6:
-#   before_script:
-#     - apt update
-#     - apt install -y build-essential debhelper devscripts equivs python3 python3-pip
-#     - cp debian/control-3.6 debian/control
-#     - mk-build-deps debian/control
-#     - apt install ./*build-deps*deb -f -y
-#     - "python3 -m pip install -U virtualenv"
-#     - "virtualenv env"
-#     - "source env/bin/activate"
-#     - "pip3 install -U -r requirements.txt -r requirements-dev.txt"
-#   image: debian:buster
-#   script:
-#     - debuild -us -uc
-#     - cp ../passbook*.deb .
-#     - python manage.py nexus_upload
-#   artifacts:
-#     paths:
-#     - passbook-python3.6*deb
-#     expire_in: 2 days
-#   stage: build
-#   only:
-#     - tags
-#     - /^debian/.*$r
-
-# docs:
-#   stage: docs
-#   only:
-#   - master
-#   - tags
-#   - /^debian/.*$/
-#   environment:
-#     name: docs
-#     url: "https://passbook.beryju.org/docs/"
-#   script:
-#     - apt update
-#     - apt install -y rsync
-#     - "mkdir ~/.ssh"
-#     - "cp .gitlab/known_hosts ~/.ssh/"
-#     - "pip3 install -U -r requirements-docs.txt"
-#     - "eval $(ssh-agent -s)"
-#     - "echo \"${CI_SSH_PRIVATE}\" | ssh-add -"
-#     - mkdocs build
-#     - 'rsync -avh --delete web/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/"'
-#     - 'rsync -avh --delete site/* "beryjuorg@ory1-web-prod-1.ory1.beryju.org:passbook.beryju.org/docs/"'
--- a/.prospector.yaml
+++ b/.prospector.yaml
@ -3,10 +3,10 @@ test-warnings: true
 doc-warnings: false

 ignore-paths:
-  - env
  - migrations
  - docs
  - node_modules

 uses:
- - django
+  - django
+  - celery
--- a/.pylintrc
+++ b/.pylintrc
@ -1,12 +1,29 @@
 [MASTER]

-disable=redefined-outer-name,arguments-differ,no-self-use,cyclic-import,fixme,locally-disabled,unpacking-non-sequence,too-many-ancestors,too-many-branches,too-few-public-methods
+disable =
+    arguments-differ,
+    no-self-use,
+    fixme,
+    locally-disabled,
+    too-many-ancestors,
+    too-few-public-methods,
+    import-outside-toplevel,
+    bad-continuation,
+    signature-differs,
+    similarities,
+    cyclic-import,
+    protected-access,
+    unsubscriptable-object # remove when pylint is upgraded to 2.6
+
 load-plugins=pylint_django,pylint.extensions.bad_builtin
-#,pylint.extensions.docparams
-extension-pkg-whitelist=lxml
+
+extension-pkg-whitelist=lxml,xmlsec
+
+# Allow constants to be shorter than normal (and lowercase, for settings.py)
 const-rgx=[a-zA-Z0-9_]{1,40}$

-[SIMILARITIES]
-
-# Minimum lines number of a similarity.
-min-similarity-lines=20
+ignored-modules=django-otp
+generated-members=xmlsec.constants.*,xmlsec.tree.*,xmlsec.template.*
+ignore=migrations
+max-attributes=12
+max-branches=20
--- a/.vscode/.ropeproject/config.py
+++ b/.vscode/.ropeproject/config.py
@ -1,114 +0,0 @@
-# The default ``config.py``
-# flake8: noqa
-
-
-def set_prefs(prefs):
-    """This function is called before opening the project"""
-
-    # Specify which files and folders to ignore in the project.
-    # Changes to ignored resources are not added to the history and
-    # VCSs.  Also they are not returned in `Project.get_files()`.
-    # Note that ``?`` and ``*`` match all characters but slashes.
-    # '*.pyc': matches 'test.pyc' and 'pkg/test.pyc'
-    # 'mod*.pyc': matches 'test/mod1.pyc' but not 'mod/1.pyc'
-    # '.svn': matches 'pkg/.svn' and all of its children
-    # 'build/*.o': matches 'build/lib.o' but not 'build/sub/lib.o'
-    # 'build//*.o': matches 'build/lib.o' and 'build/sub/lib.o'
-    prefs['ignored_resources'] = ['*.pyc', '*~', '.ropeproject',
-                                  '.hg', '.svn', '_svn', '.git', '.tox']
-
-    # Specifies which files should be considered python files.  It is
-    # useful when you have scripts inside your project.  Only files
-    # ending with ``.py`` are considered to be python files by
-    # default.
-    # prefs['python_files'] = ['*.py']
-
-    # Custom source folders:  By default rope searches the project
-    # for finding source folders (folders that should be searched
-    # for finding modules).  You can add paths to that list.  Note
-    # that rope guesses project source folders correctly most of the
-    # time; use this if you have any problems.
-    # The folders should be relative to project root and use '/' for
-    # separating folders regardless of the platform rope is running on.
-    # 'src/my_source_folder' for instance.
-    # prefs.add('source_folders', 'src')
-
-    # You can extend python path for looking up modules
-    # prefs.add('python_path', '~/python/')
-
-    # Should rope save object information or not.
-    prefs['save_objectdb'] = True
-    prefs['compress_objectdb'] = False
-
-    # If `True`, rope analyzes each module when it is being saved.
-    prefs['automatic_soa'] = True
-    # The depth of calls to follow in static object analysis
-    prefs['soa_followed_calls'] = 0
-
-    # If `False` when running modules or unit tests "dynamic object
-    # analysis" is turned off.  This makes them much faster.
-    prefs['perform_doa'] = True
-
-    # Rope can check the validity of its object DB when running.
-    prefs['validate_objectdb'] = True
-
-    # How many undos to hold?
-    prefs['max_history_items'] = 32
-
-    # Shows whether to save history across sessions.
-    prefs['save_history'] = True
-    prefs['compress_history'] = False
-
-    # Set the number spaces used for indenting.  According to
-    # :PEP:`8`, it is best to use 4 spaces.  Since most of rope's
-    # unit-tests use 4 spaces it is more reliable, too.
-    prefs['indent_size'] = 4
-
-    # Builtin and c-extension modules that are allowed to be imported
-    # and inspected by rope.
-    prefs['extension_modules'] = []
-
-    # Add all standard c-extensions to extension_modules list.
-    prefs['import_dynload_stdmods'] = True
-
-    # If `True` modules with syntax errors are considered to be empty.
-    # The default value is `False`; When `False` syntax errors raise
-    # `rope.base.exceptions.ModuleSyntaxError` exception.
-    prefs['ignore_syntax_errors'] = False
-
-    # If `True`, rope ignores unresolvable imports.  Otherwise, they
-    # appear in the importing namespace.
-    prefs['ignore_bad_imports'] = False
-
-    # If `True`, rope will insert new module imports as
-    # `from <package> import <module>` by default.
-    prefs['prefer_module_from_imports'] = False
-
-    # If `True`, rope will transform a comma list of imports into
-    # multiple separate import statements when organizing
-    # imports.
-    prefs['split_imports'] = False
-
-    # If `True`, rope will remove all top-level import statements and
-    # reinsert them at the top of the module when making changes.
-    prefs['pull_imports_to_top'] = True
-
-    # If `True`, rope will sort imports alphabetically by module name instead
-    # of alphabetically by import statement, with from imports after normal
-    # imports.
-    prefs['sort_imports_alphabetically'] = False
-
-    # Location of implementation of
-    # rope.base.oi.type_hinting.interfaces.ITypeHintingFactory In general
-    # case, you don't have to change this value, unless you're an rope expert.
-    # Change this value to inject you own implementations of interfaces
-    # listed in module rope.base.oi.type_hinting.providers.interfaces
-    # For example, you can add you own providers for Django Models, or disable
-    # the search type-hinting in a class hierarchy, etc.
-    prefs['type_hinting_factory'] = (
-        'rope.base.oi.type_hinting.factory.default_type_hinting_factory')
-
-
-def project_opened(project):
-    """This function is called after opening the project"""
-    # Do whatever you like here!
--- a/.vscode/.ropeproject/objectdb
+++ b/.vscode/.ropeproject/objectdb
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,11 +0,0 @@
-{
-  "python.pythonPath": "env/bin/python",
-  "editor.tabSize": 4,
-  "[html]": {
-    "editor.tabSize": 2
-  },
-  "cSpell.words": [
-    "SAML",
-    "passbook"
-  ]
-}
--- a/58
+++ b/58
@ -1,28 +1,48 @@
-FROM python:3.6-slim-stretch as build
+FROM python:3.9-slim-buster as locker

-COPY ./passbook/ /app/passbook
-COPY ./manage.py /app/
-COPY ./requirements.txt /app/
+COPY ./Pipfile /app/
+COPY ./Pipfile.lock /app/

 WORKDIR /app/

-RUN mkdir /app/static/ && \
-    pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    ./manage.py collectstatic --no-input
+RUN pip install pipenv && \
+    pipenv lock -r > requirements.txt && \
+    pipenv lock -rd > requirements-dev.txt

-FROM python:3.6-slim-stretch
+FROM python:3.9-slim-buster

-COPY ./passbook/ /app/passbook
-COPY ./manage.py /app/
-COPY ./requirements.txt /app/
-COPY --from=build /app/static /app/static/
+WORKDIR /
+COPY --from=locker /app/requirements.txt /
+COPY --from=locker /app/requirements-dev.txt /

-WORKDIR /app/
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
+    curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
+    echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends postgresql-client-12 postgresql-client-11 build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
+    apt-get clean && \
+    pip install -r /requirements.txt --no-cache-dir && \
+    apt-get remove --purge -y build-essential && \
+    apt-get autoremove --purge -y && \
+    # This is quite hacky, but docker has no guaranteed Group ID
+    # we could instead check for the GID of the socket and add the user dynamically,
+    # but then we have to drop permmissions later
+    groupadd -g 998 docker_998 && \
+    groupadd -g 999 docker_999 && \
+    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
+    usermod -a -G docker_998 authentik && \
+    usermod -a -G docker_999 authentik && \
+    mkdir /backups && \
+    chown authentik:authentik /backups

-RUN pip install -r requirements.txt && \
-    pip install psycopg2 && \
-    adduser --system --home /app/ passbook && \
-    chown -R passbook /app/
+COPY ./authentik/ /authentik
+COPY ./pytest.ini /
+COPY ./xml /xml
+COPY ./manage.py /
+COPY ./lifecycle/ /lifecycle

-USER passbook
+USER authentik
+STOPSIGNAL SIGINT
+ENV TMPDIR /dev/shm/
+ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]
--- a/687
+++ b/687
@ -1,21 +1,674 @@
-MIT License
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007

-Copyright (c) 2018 BeryJu.org
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+                            Preamble

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/38
+++ b/38
@ -0,0 +1,38 @@
+all: lint-fix lint coverage gen
+
+test-integration:
+	k3d cluster create || exit 0
+	k3d kubeconfig write -o ~/.kube/config --overwrite
+	coverage run manage.py test -v 3 tests/integration
+
+test-e2e:
+	coverage run manage.py test -v 3 tests/e2e
+
+coverage:
+	coverage run manage.py test -v 3 authentik
+	coverage html
+	coverage report
+
+lint-fix:
+	isort -rc authentik tests lifecycle
+	black authentik tests lifecycle
+
+lint:
+	pyright authentik tests lifecycle
+	bandit -r authentik tests lifecycle -x node_modules
+	pylint authentik tests lifecycle
+	prospector
+
+gen: coverage
+	./manage.py generate_swagger -o swagger.yaml -f yaml
+
+local-stack:
+	export AUTHENTIK_TAG=testing
+	docker build -t beryju/authentik:testng .
+	docker-compose up -d
+	docker-compose run --rm server migrate
+
+build-static:
+	docker-compose -f scripts/ci.docker-compose.yml up -d
+	docker build -t beryju/authentik-static -f static.Dockerfile --network=scripts_default .
+	docker-compose -f scripts/ci.docker-compose.yml down -v
--- a/64
+++ b/64
@ -0,0 +1,64 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[packages]
+boto3 = "*"
+celery = "*"
+channels = "*"
+channels-redis = "*"
+dacite = "*"
+defusedxml = "*"
+django = "*"
+django-cors-middleware = "*"
+django-dbbackup = "*"
+django-filter = "*"
+django-guardian = "*"
+django-model-utils = "*"
+django-otp = "*"
+django-prometheus = "*"
+django-redis = "*"
+django-storages = "*"
+djangorestframework = "*"
+djangorestframework-guardian = "*"
+docker = "*"
+drf_yasg2 = "*"
+facebook-sdk = "*"
+geoip2 = "*"
+gunicorn = "*"
+kubernetes = "*"
+ldap3 = "*"
+lxml = "*"
+packaging = "*"
+psycopg2-binary = "*"
+pycryptodome = "*"
+pyjwkest = "*"
+pyyaml = "*"
+requests-oauthlib = "*"
+sentry-sdk = "*"
+service_identity = "*"
+structlog = "*"
+swagger-spec-validator = "*"
+urllib3 = {extras = ["secure"],version = "*"}
+uvicorn = {extras = ["standard"],version = "*"}
+webauthn = "*"
+xmlsec = "*"
+twisted = "==20.3.0"
+
+[requires]
+python_version = "3.9"
+
+[dev-packages]
+autopep8 = "*"
+bandit = "*"
+black = "==20.8b1"
+bumpversion = "*"
+colorama = "*"
+coverage = "*"
+pylint = "<=2.6.0"
+pylint-django = "*"
+selenium = "*"
+prospector = "*"
+pytest = "*"
+pytest-django = "*"
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/README.md
+++ b/README.md
@ -0,0 +1,38 @@
+<p align="center">
+    <img src="https://goauthentik.io/img/icon_top_brand_colour.svg" height="150" alt="authentik logo">
+</p>
+
+---
+
+[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/KPnmtNWy)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/1?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
+[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/1?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
+[![Code Coverage](https://img.shields.io/codecov/c/gh/beryju/authentik?style=flat-square)](https://codecov.io/gh/BeryJu/authentik)
+![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=flat-square)
+![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=flat-square)
+![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/BeryJu/authentik?style=flat-square)
+
+## What is authentik?
+
+authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols. authentik is also a great solution for implementing signup/recovery/etc in your application, so you don't have to deal with it.
+
+## Installation
+
+For small/test setups it is recommended to use docker-compose, see the [documentation](https://goauthentik.io/docs/installation/docker-compose/)
+
+For bigger setups, there is a Helm Chart in the `helm/` directory. This is documented [here](https://goauthentik.io/docs/installation/kubernetes/)
+
+## Screenshots
+
+Light | Dark
+--- | ---
+![](https://goauthentik.io/img/screen_apps_light.png) | ![](https://goauthentik.io/img/screen_apps_dark.png)
+![](https://goauthentik.io/img/screen_admin_light.png) | ![](https://goauthentik.io/img/screen_admin_dark.png)
+
+## Development
+
+See [Development Documentation](https://goauthentik.io/docs/development/local-dev-environment)
+
+## Security
+
+See [SECURITY.md](SECURITY.md)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+| Version    | Supported          |
+| ---------- | ------------------ |
+| 2021.1.x   | :white_check_mark: |
+| 2021.2.x   | :white_check_mark: |
+| 2021.3.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+To report a vulnerability, send an email to [security@beryju.org](mailto:security@beryju.org)
--- a/allauth/.gitlab-ci.yml
+++ b/allauth/.gitlab-ci.yml
@ -1,27 +0,0 @@
-# Global Variables
-before_script:
-  - cd allauth/
-  - "python3 -m pip install -U virtualenv"
-  - "virtualenv env"
-  - "source env/bin/activate"
-  - "pip3 install -U -r requirements-dev.txt"
-stages:
-  - test-allauth
-image: python:3.6
-
-isort:
-  script:
-    - isort -c -sg env
-  stage: test-allauth
-prospector:
-  script:
-    - prospector
-  stage: test-allauth
-pylint:
-  script:
-    - pylint passbook
-  stage: test-allauth
-bandit:
-  script:
-    - bandit -r allauth_passbook
-  stage: test-allauth
--- a/allauth/allauth_passbook/provider.py
+++ b/allauth/allauth_passbook/provider.py
@ -1,35 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.base import ProviderAccount
-from allauth.socialaccount.providers.oauth2.provider import OAuth2Provider
-
-
-class PassbookAccount(ProviderAccount):
-    """passbook account"""
-
-    def to_str(self):
-        dflt = super().to_str()
-        return self.account.extra_data.get('username', dflt)
-
-
-class PassbookProvider(OAuth2Provider):
-    """passbook provider"""
-
-    id = 'passbook'
-    name = 'passbook'
-    account_class = PassbookAccount
-
-    def extract_uid(self, data):
-        return str(data['sub'])
-
-    def extract_common_fields(self, data):
-        return {
-            'email': data.get('email'),
-            'username': data.get('preferred_username'),
-            'name': data.get('name'),
-        }
-
-    def get_default_scope(self):
-        return ['openid:userinfo']
-
-
-provider_classes = [PassbookProvider] # noqa
--- a/allauth/allauth_passbook/urls.py
+++ b/allauth/allauth_passbook/urls.py
@ -1,5 +0,0 @@
-"""passbook provider"""
-from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
-from allauth_passbook.provider import PassbookProvider
-
-urlpatterns = default_urlpatterns(PassbookProvider)
--- a/allauth/allauth_passbook/views.py
+++ b/allauth/allauth_passbook/views.py
@ -1,37 +0,0 @@
-"""passbook adapter"""
-import requests
-
-from allauth.socialaccount import app_settings
-from allauth.socialaccount.providers.oauth2.views import (OAuth2Adapter,
-                                                          OAuth2CallbackView,
-                                                          OAuth2LoginView)
-from allauth_passbook.provider import PassbookProvider
-
-
-class PassbookOAuth2Adapter(OAuth2Adapter):
-    """passbook OAuth2 Adapter"""
-    provider_id = PassbookProvider.id
-    # pylint: disable=no-member
-    settings = app_settings.PROVIDERS.get(provider_id, {}) # noqa
-    provider_base_url = settings.get("PASSBOOK_URL", 'https://id.beryju.org')
-
-    access_token_url = '{0}/application/oauth/token/'.format(provider_base_url)
-    authorize_url = '{0}/application/oauth/authorize/'.format(provider_base_url)
-    profile_url = '{0}/api/v1/openid/'.format(
-        provider_base_url)
-
-    def complete_login(self, request, app, access_token, **kwargs):
-        headers = {
-            'Authorization': 'Bearer {0}'.format(access_token.token),
-            'Content-Type': 'application/json',
-        }
-        extra_data = requests.get(self.profile_url, headers=headers)
-
-        return self.get_provider().sociallogin_from_response(
-            request,
-            extra_data.json()
-        )
-
-
-oauth2_login = OAuth2LoginView.adapter_view(PassbookOAuth2Adapter) # noqa
-oauth2_callback = OAuth2CallbackView.adapter_view(PassbookOAuth2Adapter) # noqa
--- a/allauth/requirements.txt
+++ b/allauth/requirements.txt
@ -1 +0,0 @@
-django-allauth
--- a/allauth/setup.py
+++ b/allauth/setup.py
@ -1,33 +0,0 @@
-"""passbook allauth setup.py"""
-from setuptools import setup
-
-setup(
-    name='django-allauth-passbook',
-    version='1.0.0',
-    description='passbook support for django-allauth',
-    # long_description='\n'.join(read_simple('docs/index.md')[2:]),
-    long_description_content_type='text/markdown',
-    author='BeryJu.org',
-    author_email='hello@beryju.org',
-    packages=['allauth_passbook'],
-    include_package_data=True,
-    install_requires=['django-allauth'],
-    keywords='django allauth passbook',
-    license='MIT',
-    classifiers=[
-        'Intended Audience :: Developers',
-        'Topic :: Software Development :: Libraries :: Python Modules',
-        'Environment :: Web Environment',
-        'Topic :: Internet',
-        'License :: OSI Approved :: MIT License',
-        'Operating System :: OS Independent',
-        'Programming Language :: Python',
-        'Programming Language :: Python :: 3.4',
-        'Programming Language :: Python :: 3.5',
-        'Programming Language :: Python :: 3.6',
-        'Framework :: Django',
-        'Framework :: Django :: 1.11',
-        'Framework :: Django :: 2.0',
-        'Framework :: Django :: 2.1',
-    ],
-)
--- a/authentik/init.py
+++ b/authentik/init.py
@ -0,0 +1,2 @@
+"""authentik"""
+__version__ = "2021.3.1-rc2"
--- a/allauth/allauth_passbook/init.py
+++ b/allauth/allauth_passbook/init.py
--- a/authentik/admin/api/init.py
+++ b/authentik/admin/api/init.py
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -0,0 +1,77 @@
+"""authentik administration metrics"""
+import time
+from collections import Counter
+from datetime import timedelta
+
+from django.db.models import Count, ExpressionWrapper, F, Model
+from django.db.models.fields import DurationField
+from django.db.models.functions import ExtractHour
+from django.utils.timezone import now
+from drf_yasg2.utils import swagger_auto_schema
+from rest_framework.fields import SerializerMethodField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
+
+from authentik.events.models import Event, EventAction
+
+
+def get_events_per_1h(**filter_kwargs) -> list[dict[str, int]]:
+    """Get event count by hour in the last day, fill with zeros"""
+    date_from = now() - timedelta(days=1)
+    result = (
+        Event.objects.filter(created__gte=date_from, **filter_kwargs)
+        .annotate(
+            age=ExpressionWrapper(now() - F("created"), output_field=DurationField())
+        )
+        .annotate(age_hours=ExtractHour("age"))
+        .values("age_hours")
+        .annotate(count=Count("pk"))
+        .order_by("age_hours")
+    )
+    data = Counter({int(d["age_hours"]): d["count"] for d in result})
+    results = []
+    _now = now()
+    for hour in range(0, -24, -1):
+        results.append(
+            {
+                "x": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
+                "y": data[hour * -1],
+            }
+        )
+    return results
+
+
+class AdministrationMetricsSerializer(Serializer):
+    """Login Metrics per 1h"""
+
+    logins_per_1h = SerializerMethodField()
+    logins_failed_per_1h = SerializerMethodField()
+
+    def get_logins_per_1h(self, _):
+        """Get successful logins per hour for the last 24 hours"""
+        return get_events_per_1h(action=EventAction.LOGIN)
+
+    def get_logins_failed_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
+        return get_events_per_1h(action=EventAction.LOGIN_FAILED)
+
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class AdministrationMetricsViewSet(ViewSet):
+    """Login Metrics per 1h"""
+
+    permission_classes = [IsAdminUser]
+
+    @swagger_auto_schema(responses={200: AdministrationMetricsSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """Login Metrics per 1h"""
+        serializer = AdministrationMetricsSerializer(True)
+        return Response(serializer.data)
--- a/authentik/admin/api/tasks.py
+++ b/authentik/admin/api/tasks.py
@ -0,0 +1,73 @@
+"""Tasks API"""
+from importlib import import_module
+
+from django.contrib import messages
+from django.db.models import Model
+from django.http.response import Http404
+from django.utils.translation import gettext_lazy as _
+from drf_yasg2.utils import swagger_auto_schema
+from rest_framework.decorators import action
+from rest_framework.fields import CharField, DateTimeField, IntegerField, ListField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
+
+from authentik.events.monitored_tasks import TaskInfo
+
+
+class TaskSerializer(Serializer):
+    """Serialize TaskInfo and TaskResult"""
+
+    task_name = CharField()
+    task_description = CharField()
+    task_finish_timestamp = DateTimeField(source="finish_timestamp")
+
+    status = IntegerField(source="result.status.value")
+    messages = ListField(source="result.messages")
+
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class TaskViewSet(ViewSet):
+    """Read-only view set that returns all background tasks"""
+
+    permission_classes = [IsAdminUser]
+
+    @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """List current messages and pass into Serializer"""
+        return Response(TaskSerializer(TaskInfo.all().values(), many=True).data)
+
+    @action(detail=True, methods=["post"])
+    # pylint: disable=invalid-name
+    def retry(self, request: Request, pk=None) -> Response:
+        """Retry task"""
+        task = TaskInfo.by_name(pk)
+        if not task:
+            raise Http404
+        try:
+            task_module = import_module(task.task_call_module)
+            task_func = getattr(task_module, task.task_call_func)
+            task_func.delay(*task.task_call_args, **task.task_call_kwargs)
+            messages.success(
+                self.request,
+                _(
+                    "Successfully re-scheduled Task %(name)s!"
+                    % {"name": task.task_name}
+                ),
+            )
+            return Response(
+                {
+                    "successful": True,
+                }
+            )
+        except ImportError:  # pragma: no cover
+            # if we get an import error, the module path has probably changed
+            task.delete()
+            return Response({"successful": False})
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -0,0 +1,61 @@
+"""authentik administration overview"""
+from django.core.cache import cache
+from django.db.models import Model
+from drf_yasg2.utils import swagger_auto_schema
+from packaging.version import parse
+from rest_framework.fields import SerializerMethodField
+from rest_framework.mixins import ListModelMixin
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import GenericViewSet
+
+from authentik import __version__
+from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
+
+
+class VersionSerializer(Serializer):
+    """Get running and latest version."""
+
+    version_current = SerializerMethodField()
+    version_latest = SerializerMethodField()
+    outdated = SerializerMethodField()
+
+    def get_version_current(self, _) -> str:
+        """Get current version"""
+        return __version__
+
+    def get_version_latest(self, _) -> str:
+        """Get latest version from cache"""
+        version_in_cache = cache.get(VERSION_CACHE_KEY)
+        if not version_in_cache:  # pragma: no cover
+            update_latest_version.delay()
+            return __version__
+        return version_in_cache
+
+    def get_outdated(self, instance) -> bool:
+        """Check if we're running the latest version"""
+        return parse(self.get_version_current(instance)) < parse(
+            self.get_version_latest(instance)
+        )
+
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class VersionViewSet(ListModelMixin, GenericViewSet):
+    """Get running and latest version."""
+
+    permission_classes = [IsAdminUser]
+
+    def get_queryset(self):  # pragma: no cover
+        return None
+
+    @swagger_auto_schema(responses={200: VersionSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """Get running and latest version."""
+        return Response(VersionSerializer(True).data)
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -0,0 +1,25 @@
+"""authentik administration overview"""
+from rest_framework.mixins import ListModelMixin
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.root.celery import CELERY_APP
+
+
+class WorkerViewSet(ListModelMixin, GenericViewSet):
+    """Get currently connected worker count."""
+
+    serializer_class = Serializer
+    permission_classes = [IsAdminUser]
+
+    def get_queryset(self):  # pragma: no cover
+        return None
+
+    def list(self, request: Request) -> Response:
+        """Get currently connected worker count."""
+        return Response(
+            {"pagination": {"count": len(CELERY_APP.control.ping(timeout=0.5))}}
+        )
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -0,0 +1,11 @@
+"""authentik admin app config"""
+from django.apps import AppConfig
+
+
+class AuthentikAdminConfig(AppConfig):
+    """authentik admin app config"""
+
+    name = "authentik.admin"
+    label = "authentik_admin"
+    mountpoint = "administration/"
+    verbose_name = "authentik Admin"
--- a/authentik/admin/fields.py
+++ b/authentik/admin/fields.py
@ -0,0 +1,107 @@
+"""Additional fields"""
+import yaml
+from django import forms
+from django.utils.datastructures import MultiValueDict
+from django.utils.translation import gettext_lazy as _
+
+
+class ArrayFieldSelectMultiple(forms.SelectMultiple):
+    """This is a Form Widget for use with a Postgres ArrayField. It implements
+    a multi-select interface that can be given a set of `choices`.
+    You can provide a `delimiter` keyword argument to specify the delimeter used.
+
+    https://gist.github.com/stephane/00e73c0002de52b1c601"""
+
+    def __init__(self, *args, **kwargs):
+        # Accept a `delimiter` argument, and grab it (defaulting to a comma)
+        self.delimiter = kwargs.pop("delimiter", ",")
+        super().__init__(*args, **kwargs)
+
+    def value_from_datadict(self, data, files, name):
+        if isinstance(data, MultiValueDict):
+            # Normally, we'd want a list here, which is what we get from the
+            # SelectMultiple superclass, but the SimpleArrayField expects to
+            # get a delimited string, so we're doing a little extra work.
+            return self.delimiter.join(data.getlist(name))
+
+        return data.get(name)
+
+    def get_context(self, name, value, attrs):
+        return super().get_context(name, value.split(self.delimiter), attrs)
+
+
+class CodeMirrorWidget(forms.Textarea):
+    """Custom Textarea-based Widget that triggers a CodeMirror editor"""
+
+    # CodeMirror mode to enable
+    mode: str
+
+    template_name = "fields/codemirror.html"
+
+    def __init__(self, *args, mode="yaml", **kwargs):
+        super().__init__(*args, **kwargs)
+        self.mode = mode
+
+    def render(self, *args, **kwargs):
+        attrs = kwargs.setdefault("attrs", {})
+        attrs["mode"] = self.mode
+        return super().render(*args, **kwargs)
+
+
+class InvalidYAMLInput(str):
+    """Invalid YAML String type"""
+
+
+class YAMLString(str):
+    """YAML String type"""
+
+
+class YAMLField(forms.JSONField):
+    """Django's JSON Field converted to YAML"""
+
+    default_error_messages = {
+        "invalid": _("'%(value)s' value must be valid YAML."),
+    }
+    widget = forms.Textarea
+
+    def to_python(self, value):
+        if self.disabled:
+            return value
+        if value in self.empty_values:
+            return None
+        if isinstance(value, (list, dict, int, float, YAMLString)):
+            return value
+        try:
+            converted = yaml.safe_load(value)
+        except yaml.YAMLError:
+            raise forms.ValidationError(
+                self.error_messages["invalid"],
+                code="invalid",
+                params={"value": value},
+            )
+        if isinstance(converted, str):
+            return YAMLString(converted)
+        if converted is None:
+            return {}
+        return converted
+
+    def bound_data(self, data, initial):
+        if self.disabled:
+            return initial
+        try:
+            return yaml.safe_load(data)
+        except yaml.YAMLError:
+            return InvalidYAMLInput(data)
+
+    def prepare_value(self, value):
+        if isinstance(value, InvalidYAMLInput):
+            return value
+        return yaml.dump(value, explicit_start=True, default_flow_style=False)
+
+    def has_changed(self, initial, data):
+        if super().has_changed(initial, data):
+            return True
+        # For purposes of seeing whether something has changed, True isn't the
+        # same as 1 and the order of keys doesn't matter.
+        data = self.to_python(data)
+        return yaml.dump(initial, sort_keys=True) != yaml.dump(data, sort_keys=True)
--- a/authentik/admin/forms/init.py
+++ b/authentik/admin/forms/init.py
--- a/authentik/admin/forms/overview.py
+++ b/authentik/admin/forms/overview.py
@ -0,0 +1,18 @@
+"""Forms for modals on overview page"""
+from django import forms
+
+
+class PolicyCacheClearForm(forms.Form):
+    """Form to clear Policy cache"""
+
+    title = "Clear Policy cache"
+    body = """Are you sure you want to clear the policy cache?
+    This will cause all policies to be re-evaluated on their next usage."""
+
+
+class FlowCacheClearForm(forms.Form):
+    """Form to clear Flow cache"""
+
+    title = "Clear Flow cache"
+    body = """Are you sure you want to clear the flow cache?
+    This will cause all flows to be re-evaluated on their next usage."""
--- a/authentik/admin/forms/policies.py
+++ b/authentik/admin/forms/policies.py
@ -0,0 +1,12 @@
+"""authentik administration forms"""
+from django import forms
+
+from authentik.admin.fields import CodeMirrorWidget, YAMLField
+from authentik.core.models import User
+
+
+class PolicyTestForm(forms.Form):
+    """Form to test policies against user"""
+
+    user = forms.ModelChoiceField(queryset=User.objects.all())
+    context = YAMLField(widget=CodeMirrorWidget(), required=False, initial=dict)
--- a/authentik/admin/forms/users.py
+++ b/authentik/admin/forms/users.py
@ -0,0 +1,22 @@
+"""authentik administrative user forms"""
+
+from django import forms
+
+from authentik.admin.fields import CodeMirrorWidget, YAMLField
+from authentik.core.models import User
+
+
+class UserForm(forms.ModelForm):
+    """Update User Details"""
+
+    class Meta:
+
+        model = User
+        fields = ["username", "name", "email", "is_active", "attributes"]
+        widgets = {
+            "name": forms.TextInput,
+            "attributes": CodeMirrorWidget,
+        }
+        field_classes = {
+            "attributes": YAMLField,
+        }
--- a/authentik/admin/mixins.py
+++ b/authentik/admin/mixins.py
@ -1,4 +1,4 @@
-"""passbook admin mixins"""
+"""authentik admin mixins"""
 from django.contrib.auth.mixins import UserPassesTestMixin


--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -0,0 +1,10 @@
+"""authentik admin settings"""
+from celery.schedules import crontab
+
+CELERY_BEAT_SCHEDULE = {
+    "admin_latest_version": {
+        "task": "authentik.admin.tasks.update_latest_version",
+        "schedule": crontab(minute=0),  # Run every hour
+        "options": {"queue": "authentik_scheduled"},
+    }
+}
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -0,0 +1,53 @@
+"""authentik admin tasks"""
+import re
+
+from django.core.cache import cache
+from django.core.validators import URLValidator
+from packaging.version import parse
+from requests import RequestException, get
+from structlog.stdlib import get_logger
+
+from authentik import __version__
+from authentik.events.models import Event, EventAction
+from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
+from authentik.root.celery import CELERY_APP
+
+LOGGER = get_logger()
+VERSION_CACHE_KEY = "authentik_latest_version"
+VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
+# Chop of the first ^ because we want to search the entire string
+URL_FINDER = URLValidator.regex.pattern[1:]
+
+
+@CELERY_APP.task(bind=True, base=MonitoredTask)
+def update_latest_version(self: MonitoredTask):
+    """Update latest version info"""
+    try:
+        response = get("https://api.github.com/repos/beryju/authentik/releases/latest")
+        response.raise_for_status()
+        data = response.json()
+        tag_name = data.get("tag_name")
+        upstream_version = tag_name.split("/")[1]
+        cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
+        self.set_status(
+            TaskResult(
+                TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"]
+            )
+        )
+        # Check if upstream version is newer than what we're running,
+        # and if no event exists yet, create one.
+        local_version = parse(__version__)
+        if local_version < parse(upstream_version):
+            # Event has already been created, don't create duplicate
+            if Event.objects.filter(
+                action=EventAction.UPDATE_AVAILABLE,
+                context__new_version=upstream_version,
+            ).exists():
+                return
+            event_dict = {"new_version": upstream_version}
+            if match := re.search(URL_FINDER, data.get("body", "")):
+                event_dict["message"] = f"Changelog: {match.group()}"
+            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+    except (RequestException, IndexError) as exc:
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
--- a/authentik/admin/templates/administration/base.html
+++ b/authentik/admin/templates/administration/base.html
@ -0,0 +1,5 @@
+{% load static %}
+{% load i18n %}
+
+{% block content %}
+{% endblock %}
--- a/authentik/admin/templates/administration/certificatekeypair/generate.html
+++ b/authentik/admin/templates/administration/certificatekeypair/generate.html
@ -0,0 +1,14 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% trans 'Generate Certificate-Key Pair' %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% trans 'Generate Certificate-Key Pair' %}
+{% endblock %}
--- a/authentik/admin/templates/administration/flow/import.html
+++ b/authentik/admin/templates/administration/flow/import.html
@ -0,0 +1,13 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+{% trans 'Import Flow' %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% trans 'Import Flow' %}
+{% endblock %}
--- a/authentik/admin/templates/administration/policy/test.html
+++ b/authentik/admin/templates/administration/policy/test.html
@ -0,0 +1,46 @@
+{% extends 'generic/form.html' %}
+
+{% load i18n %}
+
+{% block above_form %}
+<h1>{% blocktrans with policy=policy %}Test {{ policy }}{% endblocktrans %}</h1>
+{% endblock %}
+
+{% block beneath_form %}
+{% if result %}
+<div class="pf-c-form__group ">
+    <div class="pf-c-form__group-label">
+        <label class="pf-c-form__label" for="context-1">
+            <span class="pf-c-form__label-text">{% trans 'Passing' %}</span>
+        </label>
+    </div>
+    <div class="pf-c-form__group-label">
+        <div class="c-form__horizontal-group">
+            <span class="pf-c-form__label-text">{{ result.passing|yesno:"Yes,No" }}</span>
+        </div>
+    </div>
+</div>
+<div class="pf-c-form__group ">
+    <div class="pf-c-form__group-label">
+        <label class="pf-c-form__label" for="context-1">
+            <span class="pf-c-form__label-text">{% trans 'Messages' %}</span>
+        </label>
+    </div>
+    <div class="pf-c-form__group-label">
+        <div class="c-form__horizontal-group">
+            <ul>
+                {% for m in result.messages %}
+                <li><span class="pf-c-form__label-text">{{ m }}</span></li>
+                {% empty %}
+                <li><span class="pf-c-form__label-text">-</span></li>
+                {% endfor %}
+            </ul>
+        </div>
+    </div>
+</div>
+{% endif %}
+{% endblock %}
+
+{% block action %}
+{% trans 'Test' %}
+{% endblock %}
--- a/authentik/admin/templates/administration/user/disable.html
+++ b/authentik/admin/templates/administration/user/disable.html
@ -0,0 +1,42 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        {% block above_form %}
+        <h1>
+            {% blocktrans with object_type=object|verbose_name %}
+            Disable {{ object_type }}
+            {% endblocktrans %}
+        </h1>
+        {% endblock %}
+    </div>
+</section>
+<section class="pf-c-page__main-section">
+    <div class="pf-l-stack">
+        <div class="pf-l-stack__item">
+            <div class="pf-c-card">
+                <div class="pf-c-card__body">
+                    <form action="" method="post" class="pf-c-form">
+                        {% csrf_token %}
+                        <p>
+                            {% blocktrans with object_type=object|verbose_name name=object %}
+                            Are you sure you want to disable {{ object_type }} "{{ object }}"?
+                            {% endblocktrans %}
+                        </p>
+                        <div class="pf-c-form__group pf-m-action">
+                            <div class="pf-c-form__actions">
+                                <input class="pf-c-button pf-m-danger" type="submit" value="{% trans 'Disable' %}" />
+                                <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Back" %}</a>
+                            </div>
+                        </div>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</section>
+{% endblock %}
--- a/authentik/admin/templates/fields/codemirror.html
+++ b/authentik/admin/templates/fields/codemirror.html
@ -0,0 +1 @@
+<ak-codemirror mode="{{ widget.attrs.mode }}"><textarea class="pf-c-form-control" name="{{ widget.name }}">{% if widget.value %}{{ widget.value }}{% endif %}</textarea></ak-codemirror>
--- a/authentik/admin/templates/generic/create.html
+++ b/authentik/admin/templates/generic/create.html
@ -0,0 +1,18 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% blocktrans with type=form|form_verbose_name %}
+    Create {{ type }}
+    {% endblocktrans %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% blocktrans with type=form|form_verbose_name %}
+Create {{ type }}
+{% endblocktrans %}
+{% endblock %}
--- a/authentik/admin/templates/generic/form.html
+++ b/authentik/admin/templates/generic/form.html
@ -0,0 +1,40 @@
+{% extends container_template|default:"administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+{% load static %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        {% block above_form %}
+        {% endblock %}
+    </div>
+</section>
+<section class="pf-c-page__main-section">
+    <div class="pf-l-stack">
+        <div class="pf-l-stack__item">
+            <div class="pf-c-card">
+                <div class="pf-c-card__body">
+                    <form id="main-form" action="" method="post" class="pf-c-form pf-m-horizontal" enctype="multipart/form-data">
+                        {% include 'partials/form_horizontal.html' with form=form %}
+                        {% block beneath_form %}
+                        {% endblock %}
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</section>
+<footer class="pf-c-modal-box__footer">
+    <ak-spinner-button form="main-form">
+        {% block action %}{% endblock %}
+    </ak-spinner-button>&nbsp;
+    <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Cancel" %}</a>
+</footer>
+{% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+{{ form.media.js }}
+{% endblock %}
--- a/authentik/admin/templates/generic/form_non_model.html
+++ b/authentik/admin/templates/generic/form_non_model.html
@ -0,0 +1,20 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% trans form.title %}
+</h1>
+{% endblock %}
+
+{% block beneath_form %}
+<p>
+    {% trans form.body %}
+</p>
+{% endblock %}
+
+{% block action %}
+{% trans 'Confirm' %}
+{% endblock %}
--- a/authentik/admin/templates/generic/update.html
+++ b/authentik/admin/templates/generic/update.html
@ -0,0 +1,18 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% blocktrans with type=form|form_verbose_name|title inst=form.instance %}
+    Update {{ inst }}
+    {% endblocktrans %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% blocktrans with type=form|form_verbose_name %}
+Update {{ type }}
+{% endblocktrans %}
+{% endblock %}
--- a/authentik/admin/tests/init.py
+++ b/authentik/admin/tests/init.py
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -0,0 +1,73 @@
+"""test admin api"""
+from json import loads
+
+from django.test import TestCase
+from django.urls import reverse
+
+from authentik import __version__
+from authentik.core.models import Group, User
+from authentik.core.tasks import clean_expired_models
+
+
+class TestAdminAPI(TestCase):
+    """test admin api"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.create(username="test-user")
+        self.group = Group.objects.create(name="superusers", is_superuser=True)
+        self.group.users.add(self.user)
+        self.group.save()
+        self.client.force_login(self.user)
+
+    def test_tasks(self):
+        """Test Task API"""
+        clean_expired_models.delay()
+        response = self.client.get(reverse("authentik_api:admin_system_tasks-list"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertTrue(
+            any([task["task_name"] == "clean_expired_models" for task in body])
+        )
+
+    def test_tasks_retry(self):
+        """Test Task API (retry)"""
+        clean_expired_models.delay()
+        response = self.client.post(
+            reverse(
+                "authentik_api:admin_system_tasks-retry",
+                kwargs={"pk": "clean_expired_models"},
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertTrue(body["successful"])
+
+    def test_tasks_retry_404(self):
+        """Test Task API (retry, 404)"""
+        response = self.client.post(
+            reverse(
+                "authentik_api:admin_system_tasks-retry",
+                kwargs={"pk": "qwerqewrqrqewrqewr"},
+            )
+        )
+        self.assertEqual(response.status_code, 404)
+
+    def test_version(self):
+        """Test Version API"""
+        response = self.client.get(reverse("authentik_api:admin_version-list"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["version_current"], __version__)
+
+    def test_workers(self):
+        """Test Workers API"""
+        response = self.client.get(reverse("authentik_api:admin_workers-list"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["pagination"]["count"], 0)
+
+    def test_metrics(self):
+        """Test metrics API"""
+        response = self.client.get(reverse("authentik_api:admin_metrics-list"))
+        self.assertEqual(response.status_code, 200)
--- a/authentik/admin/tests/test_generated.py
+++ b/authentik/admin/tests/test_generated.py
@ -0,0 +1,66 @@
+"""admin tests"""
+from importlib import import_module
+from typing import Callable
+
+from django.forms import ModelForm
+from django.test import Client, TestCase
+from django.urls import reverse
+from django.urls.exceptions import NoReverseMatch
+
+from authentik.admin.urls import urlpatterns
+from authentik.core.models import Group, User
+from authentik.lib.utils.reflection import get_apps
+
+
+class TestAdmin(TestCase):
+    """Generic admin tests"""
+
+    def setUp(self):
+        self.user = User.objects.create_user(username="test")
+        self.user.ak_groups.add(Group.objects.filter(is_superuser=True).first())
+        self.user.save()
+        self.client = Client()
+        self.client.force_login(self.user)
+
+
+def generic_view_tester(view_name: str) -> Callable:
+    """This is used instead of subTest for better visibility"""
+
+    def tester(self: TestAdmin):
+        try:
+            full_url = reverse(f"authentik_admin:{view_name}")
+            response = self.client.get(full_url)
+            self.assertTrue(response.status_code < 500)
+        except NoReverseMatch:
+            pass
+
+    return tester
+
+
+for url in urlpatterns:
+    method_name = url.name.replace("-", "_")
+    setattr(TestAdmin, f"test_view_{method_name}", generic_view_tester(url.name))
+
+
+def generic_form_tester(form: ModelForm) -> Callable:
+    """Test a form"""
+
+    def tester(self: TestAdmin):
+        form_inst = form()
+        self.assertFalse(form_inst.is_valid())
+
+    return tester
+
+
+# Load the forms module from every app, so we have all forms loaded
+for app in get_apps():
+    module = app.__module__.replace(".apps", ".forms")
+    try:
+        import_module(module)
+    except ImportError:
+        pass
+
+for form_class in ModelForm.__subclasses__():
+    setattr(
+        TestAdmin, f"test_form_{form_class.__name__}", generic_form_tester(form_class)
+    )
--- a/authentik/admin/tests/test_policy_binding.py
+++ b/authentik/admin/tests/test_policy_binding.py
@ -0,0 +1,43 @@
+"""admin tests"""
+from uuid import uuid4
+
+from django import forms
+from django.test import TestCase
+from django.test.client import RequestFactory
+
+from authentik.admin.views.policies_bindings import PolicyBindingCreateView
+from authentik.core.models import Application
+from authentik.policies.forms import PolicyBindingForm
+
+
+class TestPolicyBindingView(TestCase):
+    """Generic admin tests"""
+
+    def setUp(self):
+        self.factory = RequestFactory()
+
+    def test_without_get_param(self):
+        """Test PolicyBindingCreateView without get params"""
+        request = self.factory.get("/")
+        view = PolicyBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params_invalid(self):
+        """Test PolicyBindingCreateView with invalid get params"""
+        request = self.factory.get("/", {"target": uuid4()})
+        view = PolicyBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params(self):
+        """Test PolicyBindingCreateView with get params"""
+        target = Application.objects.create(name="test")
+        request = self.factory.get("/", {"target": target.pk.hex})
+        view = PolicyBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {"target": target, "order": 0})
+
+        self.assertTrue(
+            isinstance(
+                PolicyBindingForm(initial={"target": "foo"}).fields["target"].widget,
+                forms.HiddenInput,
+            )
+        )
--- a/authentik/admin/tests/test_stage_bindings.py
+++ b/authentik/admin/tests/test_stage_bindings.py
@ -0,0 +1,43 @@
+"""admin tests"""
+from uuid import uuid4
+
+from django import forms
+from django.test import TestCase
+from django.test.client import RequestFactory
+
+from authentik.admin.views.stages_bindings import StageBindingCreateView
+from authentik.flows.forms import FlowStageBindingForm
+from authentik.flows.models import Flow
+
+
+class TestStageBindingView(TestCase):
+    """Generic admin tests"""
+
+    def setUp(self):
+        self.factory = RequestFactory()
+
+    def test_without_get_param(self):
+        """Test StageBindingCreateView without get params"""
+        request = self.factory.get("/")
+        view = StageBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params_invalid(self):
+        """Test StageBindingCreateView with invalid get params"""
+        request = self.factory.get("/", {"target": uuid4()})
+        view = StageBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params(self):
+        """Test StageBindingCreateView with get params"""
+        target = Flow.objects.create(name="test", slug="test")
+        request = self.factory.get("/", {"target": target.pk.hex})
+        view = StageBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {"target": target, "order": 0})
+
+        self.assertTrue(
+            isinstance(
+                FlowStageBindingForm(initial={"target": "foo"}).fields["target"].widget,
+                forms.HiddenInput,
+            )
+        )
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -0,0 +1,81 @@
+"""test admin tasks"""
+import json
+from dataclasses import dataclass
+from unittest.mock import Mock, patch
+
+from django.core.cache import cache
+from django.test import TestCase
+from requests.exceptions import RequestException
+
+from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
+from authentik.events.models import Event, EventAction
+
+
+@dataclass
+class MockResponse:
+    """Mock class to emulate the methods of requests's Response we need"""
+
+    status_code: int
+    response: str
+
+    def json(self) -> dict:
+        """Get json parsed response"""
+        return json.loads(self.response)
+
+    def raise_for_status(self):
+        """raise RequestException if status code is 400 or more"""
+        if self.status_code >= 400:
+            raise RequestException
+
+
+REQUEST_MOCK_VALID = Mock(
+    return_value=MockResponse(
+        200,
+        """{
+            "tag_name": "version/99999999.9999999",
+            "body": "https://goauthentik.io/test"
+        }""",
+    )
+)
+
+REQUEST_MOCK_INVALID = Mock(return_value=MockResponse(400, "{}"))
+
+
+class TestAdminTasks(TestCase):
+    """test admin tasks"""
+
+    @patch("authentik.admin.tasks.get", REQUEST_MOCK_VALID)
+    def test_version_valid_response(self):
+        """Test Update checker with valid response"""
+        update_latest_version.delay().get()
+        self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
+        self.assertTrue(
+            Event.objects.filter(
+                action=EventAction.UPDATE_AVAILABLE,
+                context__new_version="99999999.9999999",
+                context__message="Changelog: https://goauthentik.io/test",
+            ).exists()
+        )
+        # test that a consecutive check doesn't create a duplicate event
+        update_latest_version.delay().get()
+        self.assertEqual(
+            len(
+                Event.objects.filter(
+                    action=EventAction.UPDATE_AVAILABLE,
+                    context__new_version="99999999.9999999",
+                    context__message="Changelog: https://goauthentik.io/test",
+                )
+            ),
+            1,
+        )
+
+    @patch("authentik.admin.tasks.get", REQUEST_MOCK_INVALID)
+    def test_version_error(self):
+        """Test Update checker with invalid response"""
+        update_latest_version.delay().get()
+        self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
+        self.assertFalse(
+            Event.objects.filter(
+                action=EventAction.UPDATE_AVAILABLE, context__new_version="0.0.0"
+            ).exists()
+        )
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -0,0 +1,344 @@
+"""authentik URL Configuration"""
+from django.urls import path
+
+from authentik.admin.views import (
+    applications,
+    certificate_key_pair,
+    events_notifications_rules,
+    events_notifications_transports,
+    flows,
+    groups,
+    outposts,
+    outposts_service_connections,
+    overview,
+    policies,
+    policies_bindings,
+    property_mappings,
+    providers,
+    sources,
+    stages,
+    stages_bindings,
+    stages_invitations,
+    stages_prompts,
+    tokens,
+    users,
+)
+from authentik.providers.saml.views.metadata import MetadataImportView
+
+urlpatterns = [
+    path(
+        "overview/cache/flow/",
+        overview.FlowCacheClearView.as_view(),
+        name="overview-clear-flow-cache",
+    ),
+    path(
+        "overview/cache/policy/",
+        overview.PolicyCacheClearView.as_view(),
+        name="overview-clear-policy-cache",
+    ),
+    # Applications
+    path(
+        "applications/create/",
+        applications.ApplicationCreateView.as_view(),
+        name="application-create",
+    ),
+    path(
+        "applications/<uuid:pk>/update/",
+        applications.ApplicationUpdateView.as_view(),
+        name="application-update",
+    ),
+    path(
+        "applications/<uuid:pk>/delete/",
+        applications.ApplicationDeleteView.as_view(),
+        name="application-delete",
+    ),
+    # Tokens
+    path(
+        "tokens/<uuid:pk>/delete/",
+        tokens.TokenDeleteView.as_view(),
+        name="token-delete",
+    ),
+    # Sources
+    path("sources/create/", sources.SourceCreateView.as_view(), name="source-create"),
+    path(
+        "sources/<uuid:pk>/update/",
+        sources.SourceUpdateView.as_view(),
+        name="source-update",
+    ),
+    path(
+        "sources/<uuid:pk>/delete/",
+        sources.SourceDeleteView.as_view(),
+        name="source-delete",
+    ),
+    # Policies
+    path("policies/create/", policies.PolicyCreateView.as_view(), name="policy-create"),
+    path(
+        "policies/<uuid:pk>/update/",
+        policies.PolicyUpdateView.as_view(),
+        name="policy-update",
+    ),
+    path(
+        "policies/<uuid:pk>/delete/",
+        policies.PolicyDeleteView.as_view(),
+        name="policy-delete",
+    ),
+    path(
+        "policies/<uuid:pk>/test/",
+        policies.PolicyTestView.as_view(),
+        name="policy-test",
+    ),
+    # Policy bindings
+    path(
+        "policies/bindings/create/",
+        policies_bindings.PolicyBindingCreateView.as_view(),
+        name="policy-binding-create",
+    ),
+    path(
+        "policies/bindings/<uuid:pk>/update/",
+        policies_bindings.PolicyBindingUpdateView.as_view(),
+        name="policy-binding-update",
+    ),
+    path(
+        "policies/bindings/<uuid:pk>/delete/",
+        policies_bindings.PolicyBindingDeleteView.as_view(),
+        name="policy-binding-delete",
+    ),
+    # Providers
+    path(
+        "providers/create/",
+        providers.ProviderCreateView.as_view(),
+        name="provider-create",
+    ),
+    path(
+        "providers/create/saml/from-metadata/",
+        MetadataImportView.as_view(),
+        name="provider-saml-from-metadata",
+    ),
+    path(
+        "providers/<int:pk>/update/",
+        providers.ProviderUpdateView.as_view(),
+        name="provider-update",
+    ),
+    path(
+        "providers/<int:pk>/delete/",
+        providers.ProviderDeleteView.as_view(),
+        name="provider-delete",
+    ),
+    # Stages
+    path("stages/create/", stages.StageCreateView.as_view(), name="stage-create"),
+    path(
+        "stages/<uuid:pk>/update/",
+        stages.StageUpdateView.as_view(),
+        name="stage-update",
+    ),
+    path(
+        "stages/<uuid:pk>/delete/",
+        stages.StageDeleteView.as_view(),
+        name="stage-delete",
+    ),
+    # Stage bindings
+    path(
+        "stages/bindings/create/",
+        stages_bindings.StageBindingCreateView.as_view(),
+        name="stage-binding-create",
+    ),
+    path(
+        "stages/bindings/<uuid:pk>/update/",
+        stages_bindings.StageBindingUpdateView.as_view(),
+        name="stage-binding-update",
+    ),
+    path(
+        "stages/bindings/<uuid:pk>/delete/",
+        stages_bindings.StageBindingDeleteView.as_view(),
+        name="stage-binding-delete",
+    ),
+    # Stage Prompts
+    path(
+        "stages_prompts/create/",
+        stages_prompts.PromptCreateView.as_view(),
+        name="stage-prompt-create",
+    ),
+    path(
+        "stages_prompts/<uuid:pk>/update/",
+        stages_prompts.PromptUpdateView.as_view(),
+        name="stage-prompt-update",
+    ),
+    path(
+        "stages_prompts/<uuid:pk>/delete/",
+        stages_prompts.PromptDeleteView.as_view(),
+        name="stage-prompt-delete",
+    ),
+    # Stage Invitations
+    path(
+        "stages/invitations/create/",
+        stages_invitations.InvitationCreateView.as_view(),
+        name="stage-invitation-create",
+    ),
+    path(
+        "stages/invitations/<uuid:pk>/delete/",
+        stages_invitations.InvitationDeleteView.as_view(),
+        name="stage-invitation-delete",
+    ),
+    # Flows
+    path(
+        "flows/create/",
+        flows.FlowCreateView.as_view(),
+        name="flow-create",
+    ),
+    path(
+        "flows/import/",
+        flows.FlowImportView.as_view(),
+        name="flow-import",
+    ),
+    path(
+        "flows/<uuid:pk>/update/",
+        flows.FlowUpdateView.as_view(),
+        name="flow-update",
+    ),
+    path(
+        "flows/<uuid:pk>/execute/",
+        flows.FlowDebugExecuteView.as_view(),
+        name="flow-execute",
+    ),
+    path(
+        "flows/<uuid:pk>/export/",
+        flows.FlowExportView.as_view(),
+        name="flow-export",
+    ),
+    path(
+        "flows/<uuid:pk>/delete/",
+        flows.FlowDeleteView.as_view(),
+        name="flow-delete",
+    ),
+    # Property Mappings
+    path(
+        "property-mappings/create/",
+        property_mappings.PropertyMappingCreateView.as_view(),
+        name="property-mapping-create",
+    ),
+    path(
+        "property-mappings/<uuid:pk>/update/",
+        property_mappings.PropertyMappingUpdateView.as_view(),
+        name="property-mapping-update",
+    ),
+    path(
+        "property-mappings/<uuid:pk>/delete/",
+        property_mappings.PropertyMappingDeleteView.as_view(),
+        name="property-mapping-delete",
+    ),
+    path(
+        "property-mappings/<uuid:pk>/test/",
+        property_mappings.PropertyMappingTestView.as_view(),
+        name="property-mapping-test",
+    ),
+    # Users
+    path("users/create/", users.UserCreateView.as_view(), name="user-create"),
+    path("users/<int:pk>/update/", users.UserUpdateView.as_view(), name="user-update"),
+    path("users/<int:pk>/delete/", users.UserDeleteView.as_view(), name="user-delete"),
+    path(
+        "users/<int:pk>/disable/", users.UserDisableView.as_view(), name="user-disable"
+    ),
+    path("users/<int:pk>/enable/", users.UserEnableView.as_view(), name="user-enable"),
+    path(
+        "users/<int:pk>/reset/",
+        users.UserPasswordResetView.as_view(),
+        name="user-password-reset",
+    ),
+    # Groups
+    path("groups/create/", groups.GroupCreateView.as_view(), name="group-create"),
+    path(
+        "groups/<uuid:pk>/update/",
+        groups.GroupUpdateView.as_view(),
+        name="group-update",
+    ),
+    path(
+        "groups/<uuid:pk>/delete/",
+        groups.GroupDeleteView.as_view(),
+        name="group-delete",
+    ),
+    # Certificate-Key Pairs
+    path(
+        "crypto/certificates/create/",
+        certificate_key_pair.CertificateKeyPairCreateView.as_view(),
+        name="certificatekeypair-create",
+    ),
+    path(
+        "crypto/certificates/generate/",
+        certificate_key_pair.CertificateKeyPairGenerateView.as_view(),
+        name="certificatekeypair-generate",
+    ),
+    path(
+        "crypto/certificates/<uuid:pk>/update/",
+        certificate_key_pair.CertificateKeyPairUpdateView.as_view(),
+        name="certificatekeypair-update",
+    ),
+    path(
+        "crypto/certificates/<uuid:pk>/delete/",
+        certificate_key_pair.CertificateKeyPairDeleteView.as_view(),
+        name="certificatekeypair-delete",
+    ),
+    # Outposts
+    path(
+        "outposts/create/",
+        outposts.OutpostCreateView.as_view(),
+        name="outpost-create",
+    ),
+    path(
+        "outposts/<uuid:pk>/update/",
+        outposts.OutpostUpdateView.as_view(),
+        name="outpost-update",
+    ),
+    path(
+        "outposts/<uuid:pk>/delete/",
+        outposts.OutpostDeleteView.as_view(),
+        name="outpost-delete",
+    ),
+    # Outpost Service Connections
+    path(
+        "outpost_service_connections/create/",
+        outposts_service_connections.OutpostServiceConnectionCreateView.as_view(),
+        name="outpost-service-connection-create",
+    ),
+    path(
+        "outpost_service_connections/<uuid:pk>/update/",
+        outposts_service_connections.OutpostServiceConnectionUpdateView.as_view(),
+        name="outpost-service-connection-update",
+    ),
+    path(
+        "outpost_service_connections/<uuid:pk>/delete/",
+        outposts_service_connections.OutpostServiceConnectionDeleteView.as_view(),
+        name="outpost-service-connection-delete",
+    ),
+    # Event Notification Transpots
+    path(
+        "events/transports/create/",
+        events_notifications_transports.NotificationTransportCreateView.as_view(),
+        name="notification-transport-create",
+    ),
+    path(
+        "events/transports/<uuid:pk>/update/",
+        events_notifications_transports.NotificationTransportUpdateView.as_view(),
+        name="notification-transport-update",
+    ),
+    path(
+        "events/transports/<uuid:pk>/delete/",
+        events_notifications_transports.NotificationTransportDeleteView.as_view(),
+        name="notification-transport-delete",
+    ),
+    # Event Notification Rules
+    path(
+        "events/rules/create/",
+        events_notifications_rules.NotificationRuleCreateView.as_view(),
+        name="notification-rule-create",
+    ),
+    path(
+        "events/rules/<uuid:pk>/update/",
+        events_notifications_rules.NotificationRuleUpdateView.as_view(),
+        name="notification-rule-update",
+    ),
+    path(
+        "events/rules/<uuid:pk>/delete/",
+        events_notifications_rules.NotificationRuleDeleteView.as_view(),
+        name="notification-rule-delete",
+    ),
+]
--- a/passbook/admin/templatetags/init.py
+++ b/passbook/admin/templatetags/init.py
--- a/authentik/admin/views/applications.py
+++ b/authentik/admin/views/applications.py
@ -0,0 +1,80 @@
+"""authentik Application administration"""
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+from guardian.shortcuts import get_objects_for_user
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.core.forms.applications import ApplicationForm
+from authentik.core.models import Application
+from authentik.lib.views import CreateAssignPermView
+
+
+class ApplicationCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Application"""
+
+    model = Application
+    form_class = ApplicationForm
+    permission_required = "authentik_core.add_application"
+
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Application")
+
+    def get_initial(self) -> dict[str, Any]:
+        if "provider" in self.request.GET:
+            try:
+                initial_provider_pk = int(self.request.GET["provider"])
+            except ValueError:
+                return super().get_initial()
+            providers = (
+                get_objects_for_user(self.request.user, "authentik_core.view_provider")
+                .filter(pk=initial_provider_pk)
+                .select_subclasses()
+            )
+            if not providers.exists():
+                return {}
+            return {"provider": providers.first()}
+        return super().get_initial()
+
+
+class ApplicationUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update application"""
+
+    model = Application
+    form_class = ApplicationForm
+    permission_required = "authentik_core.change_application"
+
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Application")
+
+
+class ApplicationDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete application"""
+
+    model = Application
+    permission_required = "authentik_core.delete_application"
+
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Application")
--- a/authentik/admin/views/certificate_key_pair.py
+++ b/authentik/admin/views/certificate_key_pair.py
@ -0,0 +1,95 @@
+"""authentik CertificateKeyPair administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http.response import HttpResponse
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from django.views.generic.edit import FormView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.crypto.builder import CertificateBuilder
+from authentik.crypto.forms import (
+    CertificateKeyPairForm,
+    CertificateKeyPairGenerateForm,
+)
+from authentik.crypto.models import CertificateKeyPair
+from authentik.lib.views import CreateAssignPermView
+
+
+class CertificateKeyPairCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new CertificateKeyPair"""
+
+    model = CertificateKeyPair
+    form_class = CertificateKeyPairForm
+    permission_required = "authentik_crypto.add_certificatekeypair"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Certificate-Key Pair")
+
+
+class CertificateKeyPairGenerateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    FormView,
+):
+    """Generate new CertificateKeyPair"""
+
+    model = CertificateKeyPair
+    form_class = CertificateKeyPairGenerateForm
+    permission_required = "authentik_crypto.add_certificatekeypair"
+
+    template_name = "administration/certificatekeypair/generate.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully generated Certificate-Key Pair")
+
+    def form_valid(self, form: CertificateKeyPairGenerateForm) -> HttpResponse:
+        builder = CertificateBuilder()
+        builder.common_name = form.data["common_name"]
+        builder.build(
+            subject_alt_names=form.data.get("subject_alt_name", "").split(","),
+            validity_days=int(form.data["validity_days"]),
+        )
+        builder.save()
+        return super().form_valid(form)
+
+
+class CertificateKeyPairUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update certificatekeypair"""
+
+    model = CertificateKeyPair
+    form_class = CertificateKeyPairForm
+    permission_required = "authentik_crypto.change_certificatekeypair"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Certificate-Key Pair")
+
+
+class CertificateKeyPairDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete certificatekeypair"""
+
+    model = CertificateKeyPair
+    permission_required = "authentik_crypto.delete_certificatekeypair"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Certificate-Key Pair")
--- a/authentik/admin/views/events_notifications_rules.py
+++ b/authentik/admin/views/events_notifications_rules.py
@ -0,0 +1,61 @@
+"""authentik NotificationRule administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.events.forms import NotificationRuleForm
+from authentik.events.models import NotificationRule
+from authentik.lib.views import CreateAssignPermView
+
+
+class NotificationRuleCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new NotificationRule"""
+
+    model = NotificationRule
+    form_class = NotificationRuleForm
+    permission_required = "authentik_events.add_NotificationRule"
+
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Notification Rule")
+
+
+class NotificationRuleUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update application"""
+
+    model = NotificationRule
+    form_class = NotificationRuleForm
+    permission_required = "authentik_events.change_NotificationRule"
+
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Notification Rule")
+
+
+class NotificationRuleDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete application"""
+
+    model = NotificationRule
+    permission_required = "authentik_events.delete_NotificationRule"
+
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Notification Rule")
--- a/authentik/admin/views/events_notifications_transports.py
+++ b/authentik/admin/views/events_notifications_transports.py
@ -0,0 +1,58 @@
+"""authentik NotificationTransport administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.events.forms import NotificationTransportForm
+from authentik.events.models import NotificationTransport
+from authentik.lib.views import CreateAssignPermView
+
+
+class NotificationTransportCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new NotificationTransport"""
+
+    model = NotificationTransport
+    form_class = NotificationTransportForm
+    permission_required = "authentik_events.add_notificationtransport"
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Notification Transport")
+
+
+class NotificationTransportUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update application"""
+
+    model = NotificationTransport
+    form_class = NotificationTransportForm
+    permission_required = "authentik_events.change_notificationtransport"
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Notification Transport")
+
+
+class NotificationTransportDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete application"""
+
+    model = NotificationTransport
+    permission_required = "authentik_events.delete_notificationtransport"
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Notification Transport")
--- a/authentik/admin/views/flows.py
+++ b/authentik/admin/views/flows.py
@ -0,0 +1,138 @@
+"""authentik Flow administration"""
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import DetailView, FormView, UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.flows.exceptions import FlowNonApplicableException
+from authentik.flows.forms import FlowForm, FlowImportForm
+from authentik.flows.models import Flow
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.transfer.common import DataclassEncoder
+from authentik.flows.transfer.exporter import FlowExporter
+from authentik.flows.transfer.importer import FlowImporter
+from authentik.flows.views import SESSION_KEY_PLAN, FlowPlanner
+from authentik.lib.utils.urls import redirect_with_qs
+from authentik.lib.views import CreateAssignPermView, bad_request_message
+
+
+class FlowCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Flow"""
+
+    model = Flow
+    form_class = FlowForm
+    permission_required = "authentik_flows.add_flow"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Flow")
+
+
+class FlowUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update flow"""
+
+    model = Flow
+    form_class = FlowForm
+    permission_required = "authentik_flows.change_flow"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Flow")
+
+
+class FlowDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete flow"""
+
+    model = Flow
+    permission_required = "authentik_flows.delete_flow"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Flow")
+
+
+class FlowDebugExecuteView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Debug exectue flow, setting the current user as pending user"""
+
+    model = Flow
+    permission_required = "authentik_flows.view_flow"
+
+    # pylint: disable=unused-argument
+    def get(self, request: HttpRequest, pk: str) -> HttpResponse:
+        """Debug exectue flow, setting the current user as pending user"""
+        flow: Flow = self.get_object()
+        planner = FlowPlanner(flow)
+        planner.use_cache = False
+        try:
+            plan = planner.plan(self.request, {PLAN_CONTEXT_PENDING_USER: request.user})
+            self.request.session[SESSION_KEY_PLAN] = plan
+        except FlowNonApplicableException as exc:
+            return bad_request_message(
+                request,
+                _(
+                    "Flow not applicable to current user/request: %(messages)s"
+                    % {"messages": str(exc)}
+                ),
+            )
+        return redirect_with_qs(
+            "authentik_flows:flow-executor-shell",
+            self.request.GET,
+            flow_slug=flow.slug,
+        )
+
+
+class FlowImportView(LoginRequiredMixin, FormView):
+    """Import flow from JSON Export; only allowed for superusers
+    as these flows can contain python code"""
+
+    form_class = FlowImportForm
+    template_name = "administration/flow/import.html"
+    success_url = reverse_lazy("authentik_core:shell")
+
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_superuser:
+            return self.handle_no_permission()
+        return super().dispatch(request, *args, **kwargs)
+
+    def form_valid(self, form: FlowImportForm) -> HttpResponse:
+        importer = FlowImporter(form.cleaned_data["flow"].read().decode())
+        successful = importer.apply()
+        if not successful:
+            messages.error(self.request, _("Failed to import flow."))
+        else:
+            messages.success(self.request, _("Successfully imported flow."))
+        return super().form_valid(form)
+
+
+class FlowExportView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Export Flow"""
+
+    model = Flow
+    permission_required = "authentik_flows.export_flow"
+
+    # pylint: disable=unused-argument
+    def get(self, request: HttpRequest, pk: str) -> HttpResponse:
+        """Debug exectue flow, setting the current user as pending user"""
+        flow: Flow = self.get_object()
+        exporter = FlowExporter(flow)
+        response = JsonResponse(exporter.export(), encoder=DataclassEncoder, safe=False)
+        response["Content-Disposition"] = f'attachment; filename="{flow.slug}.akflow"'
+        return response
--- a/authentik/admin/views/groups.py
+++ b/authentik/admin/views/groups.py
@ -0,0 +1,60 @@
+"""authentik Group administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.core.forms.groups import GroupForm
+from authentik.core.models import Group
+from authentik.lib.views import CreateAssignPermView
+
+
+class GroupCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Group"""
+
+    model = Group
+    form_class = GroupForm
+    permission_required = "authentik_core.add_group"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Group")
+
+
+class GroupUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update group"""
+
+    model = Group
+    form_class = GroupForm
+    permission_required = "authentik_core.change_group"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Group")
+
+
+class GroupDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete group"""
+
+    model = Group
+    permission_required = "authentik_flows.delete_group"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Group")
--- a/authentik/admin/views/outposts.py
+++ b/authentik/admin/views/outposts.py
@ -0,0 +1,66 @@
+"""authentik Outpost administration"""
+from dataclasses import asdict
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.lib.views import CreateAssignPermView
+from authentik.outposts.forms import OutpostForm
+from authentik.outposts.models import Outpost, OutpostConfig
+
+
+class OutpostCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Outpost"""
+
+    model = Outpost
+    form_class = OutpostForm
+    permission_required = "authentik_outposts.add_outpost"
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Outpost")
+
+    def get_initial(self) -> dict[str, Any]:
+        return {
+            "_config": asdict(
+                OutpostConfig(authentik_host=self.request.build_absolute_uri("/"))
+            )
+        }
+
+
+class OutpostUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update outpost"""
+
+    model = Outpost
+    form_class = OutpostForm
+    permission_required = "authentik_outposts.change_outpost"
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Outpost")
+
+
+class OutpostDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete outpost"""
+
+    model = Outpost
+    permission_required = "authentik_outposts.delete_outpost"
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Outpost")
--- a/authentik/admin/views/outposts_service_connections.py
+++ b/authentik/admin/views/outposts_service_connections.py
@ -0,0 +1,61 @@
+"""authentik OutpostServiceConnection administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceUpdateView,
+)
+from authentik.outposts.models import OutpostServiceConnection
+
+
+class OutpostServiceConnectionCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new OutpostServiceConnection"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.add_outpostserviceconnection"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Outpost Service Connection")
+
+
+class OutpostServiceConnectionUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update outpostserviceconnection"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.change_outpostserviceconnection"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Outpost Service Connection")
+
+
+class OutpostServiceConnectionDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete outpostserviceconnection"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.delete_outpostserviceconnection"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Outpost Service Connection")
--- a/authentik/admin/views/overview.py
+++ b/authentik/admin/views/overview.py
@ -0,0 +1,47 @@
+"""authentik administration overview"""
+from django.contrib.messages.views import SuccessMessageMixin
+from django.core.cache import cache
+from django.http.request import HttpRequest
+from django.http.response import HttpResponse
+from django.utils.translation import gettext as _
+from django.views.generic import FormView
+from structlog.stdlib import get_logger
+
+from authentik.admin.forms.overview import FlowCacheClearForm, PolicyCacheClearForm
+from authentik.admin.mixins import AdminRequiredMixin
+from authentik.core.api.applications import user_app_cache_key
+
+LOGGER = get_logger()
+
+
+class PolicyCacheClearView(AdminRequiredMixin, SuccessMessageMixin, FormView):
+    """View to clear Policy cache"""
+
+    form_class = PolicyCacheClearForm
+    success_url = "/"
+    template_name = "generic/form_non_model.html"
+    success_message = _("Successfully cleared Policy cache")
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        keys = cache.keys("policy_*")
+        cache.delete_many(keys)
+        LOGGER.debug("Cleared Policy cache", keys=len(keys))
+        # Also delete user application cache
+        keys = cache.keys(user_app_cache_key("*"))
+        cache.delete_many(keys)
+        return super().post(request, *args, **kwargs)
+
+
+class FlowCacheClearView(AdminRequiredMixin, SuccessMessageMixin, FormView):
+    """View to clear Flow cache"""
+
+    form_class = FlowCacheClearForm
+    success_url = "/"
+    template_name = "generic/form_non_model.html"
+    success_message = _("Successfully cleared Flow cache")
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        keys = cache.keys("flow_*")
+        cache.delete_many(keys)
+        LOGGER.debug("Cleared flow cache", keys=len(keys))
+        return super().post(request, *args, **kwargs)
--- a/authentik/admin/views/policies.py
+++ b/authentik/admin/views/policies.py
@ -0,0 +1,104 @@
+"""authentik Policy administration"""
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpResponse
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView
+from django.views.generic.detail import DetailView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.forms.policies import PolicyTestForm
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceUpdateView,
+)
+from authentik.policies.models import Policy, PolicyBinding
+from authentik.policies.process import PolicyProcess, PolicyRequest
+
+
+class PolicyCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Policy"""
+
+    model = Policy
+    permission_required = "authentik_policies.add_policy"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Policy")
+
+
+class PolicyUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update policy"""
+
+    model = Policy
+    permission_required = "authentik_policies.change_policy"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Policy")
+
+
+class PolicyDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete policy"""
+
+    model = Policy
+    permission_required = "authentik_policies.delete_policy"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Policy")
+
+
+class PolicyTestView(LoginRequiredMixin, DetailView, PermissionRequiredMixin, FormView):
+    """View to test policy(s)"""
+
+    model = Policy
+    form_class = PolicyTestForm
+    permission_required = "authentik_policies.view_policy"
+    template_name = "administration/policy/test.html"
+    object = None
+
+    def get_object(self, queryset=None) -> Policy:
+        return (
+            Policy.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
+        )
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["policy"] = self.get_object()
+        return super().get_context_data(**kwargs)
+
+    def post(self, *args, **kwargs) -> HttpResponse:
+        self.object = self.get_object()
+        return super().post(*args, **kwargs)
+
+    def form_valid(self, form: PolicyTestForm) -> HttpResponse:
+        policy = self.get_object()
+        user = form.cleaned_data.get("user")
+
+        p_request = PolicyRequest(user)
+        p_request.debug = True
+        p_request.set_http_request(self.request)
+        p_request.context = form.cleaned_data.get("context", {})
+
+        proc = PolicyProcess(PolicyBinding(policy=policy), p_request, None)
+        result = proc.execute()
+        context = self.get_context_data(form=form)
+        context["result"] = result
+        return self.render_to_response(context)
--- a/authentik/admin/views/policies_bindings.py
+++ b/authentik/admin/views/policies_bindings.py
@ -0,0 +1,81 @@
+"""authentik PolicyBinding administration"""
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models import Max
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.lib.views import CreateAssignPermView
+from authentik.policies.forms import PolicyBindingForm
+from authentik.policies.models import PolicyBinding, PolicyBindingModel
+
+
+class PolicyBindingCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new PolicyBinding"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.add_policybinding"
+    form_class = PolicyBindingForm
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created PolicyBinding")
+
+    def get_initial(self) -> dict[str, Any]:
+        if "target" in self.request.GET:
+            initial_target_pk = self.request.GET["target"]
+            targets = PolicyBindingModel.objects.filter(
+                pk=initial_target_pk
+            ).select_subclasses()
+            if not targets.exists():
+                return {}
+            max_order = PolicyBinding.objects.filter(target=targets.first()).aggregate(
+                Max("order")
+            )["order__max"]
+            if not isinstance(max_order, int):
+                max_order = -1
+            return {"target": targets.first(), "order": max_order + 1}
+        return super().get_initial()
+
+
+class PolicyBindingUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update policybinding"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.change_policybinding"
+    form_class = PolicyBindingForm
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated PolicyBinding")
+
+
+class PolicyBindingDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete policybinding"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.delete_policybinding"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted PolicyBinding")
--- a/authentik/admin/views/property_mappings.py
+++ b/authentik/admin/views/property_mappings.py
@ -0,0 +1,105 @@
+"""authentik PropertyMapping administration"""
+from json import dumps
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpResponse
+from django.utils.translation import gettext as _
+from django.views.generic import FormView
+from django.views.generic.detail import DetailView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.forms.policies import PolicyTestForm
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceUpdateView,
+)
+from authentik.core.models import PropertyMapping
+
+
+class PropertyMappingCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new PropertyMapping"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.add_propertymapping"
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Property Mapping")
+
+
+class PropertyMappingUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update property_mapping"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.change_propertymapping"
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Property Mapping")
+
+
+class PropertyMappingDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete property_mapping"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.delete_propertymapping"
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Property Mapping")
+
+
+class PropertyMappingTestView(
+    LoginRequiredMixin, DetailView, PermissionRequiredMixin, FormView
+):
+    """View to test property mappings"""
+
+    model = PropertyMapping
+    form_class = PolicyTestForm
+    permission_required = "authentik_core.view_propertymapping"
+    template_name = "administration/property_mapping/test.html"
+    object = None
+
+    def get_object(self, queryset=None) -> PropertyMapping:
+        return (
+            PropertyMapping.objects.filter(pk=self.kwargs.get("pk"))
+            .select_subclasses()
+            .first()
+        )
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["property_mapping"] = self.get_object()
+        return super().get_context_data(**kwargs)
+
+    def post(self, *args, **kwargs) -> HttpResponse:
+        self.object = self.get_object()
+        return super().post(*args, **kwargs)
+
+    def form_valid(self, form: PolicyTestForm) -> HttpResponse:
+        mapping = self.get_object()
+        user = form.cleaned_data.get("user")
+
+        context = self.get_context_data(form=form)
+        try:
+            result = mapping.evaluate(
+                user, self.request, **form.cleaned_data.get("context", {})
+            )
+            context["result"] = dumps(result, indent=4)
+        except Exception as exc:  # pylint: disable=broad-except
+            context["result"] = str(exc)
+        return self.render_to_response(context)
--- a/authentik/admin/views/providers.py
+++ b/authentik/admin/views/providers.py
@ -0,0 +1,57 @@
+"""authentik Provider administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceUpdateView,
+)
+from authentik.core.models import Provider
+
+
+class ProviderCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Provider"""
+
+    model = Provider
+    permission_required = "authentik_core.add_provider"
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Provider")
+
+
+class ProviderUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update provider"""
+
+    model = Provider
+    permission_required = "authentik_core.change_provider"
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Provider")
+
+
+class ProviderDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete provider"""
+
+    model = Provider
+    permission_required = "authentik_core.delete_provider"
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Provider")
--- a/authentik/admin/views/sources.py
+++ b/authentik/admin/views/sources.py
@ -0,0 +1,58 @@
+"""authentik Source administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceUpdateView,
+)
+from authentik.core.models import Source
+
+
+class SourceCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Source"""
+
+    model = Source
+    permission_required = "authentik_core.add_source"
+
+    success_url = "/"
+    template_name = "generic/create.html"
+    success_message = _("Successfully created Source")
+
+
+class SourceUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update source"""
+
+    model = Source
+    permission_required = "authentik_core.change_source"
+
+    success_url = "/"
+    template_name = "generic/update.html"
+    success_message = _("Successfully updated Source")
+
+
+class SourceDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete source"""
+
+    model = Source
+    permission_required = "authentik_core.delete_source"
+
+    success_url = "/"
+    template_name = "generic/delete.html"
+    success_message = _("Successfully deleted Source")
--- a/authentik/admin/views/stages.py
+++ b/authentik/admin/views/stages.py
@ -0,0 +1,57 @@
+"""authentik Stage administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceUpdateView,
+)
+from authentik.flows.models import Stage
+
+
+class StageCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Stage"""
+
+    model = Stage
+    template_name = "generic/create.html"
+    permission_required = "authentik_flows.add_stage"
+
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Stage")
+
+
+class StageUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update stage"""
+
+    model = Stage
+    permission_required = "authentik_flows.update_application"
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Stage")
+
+
+class StageDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete stage"""
+
+    model = Stage
+    template_name = "generic/delete.html"
+    permission_required = "authentik_flows.delete_stage"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Stage")
--- a/authentik/admin/views/stages_bindings.py
+++ b/authentik/admin/views/stages_bindings.py
@ -0,0 +1,79 @@
+"""authentik StageBinding administration"""
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models import Max
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.flows.forms import FlowStageBindingForm
+from authentik.flows.models import Flow, FlowStageBinding
+from authentik.lib.views import CreateAssignPermView
+
+
+class StageBindingCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new StageBinding"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.add_flowstagebinding"
+    form_class = FlowStageBindingForm
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created StageBinding")
+
+    def get_initial(self) -> dict[str, Any]:
+        if "target" in self.request.GET:
+            initial_target_pk = self.request.GET["target"]
+            targets = Flow.objects.filter(pk=initial_target_pk).select_subclasses()
+            if not targets.exists():
+                return {}
+            max_order = FlowStageBinding.objects.filter(
+                target=targets.first()
+            ).aggregate(Max("order"))["order__max"]
+            if not isinstance(max_order, int):
+                max_order = -1
+            return {"target": targets.first(), "order": max_order + 1}
+        return super().get_initial()
+
+
+class StageBindingUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update FlowStageBinding"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.change_flowstagebinding"
+    form_class = FlowStageBindingForm
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated StageBinding")
+
+
+class StageBindingDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete FlowStageBinding"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.delete_flowstagebinding"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted FlowStageBinding")
--- a/authentik/admin/views/stages_invitations.py
+++ b/authentik/admin/views/stages_invitations.py
@ -0,0 +1,51 @@
+"""authentik Invitation administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpResponseRedirect
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.lib.views import CreateAssignPermView
+from authentik.stages.invitation.forms import InvitationForm
+from authentik.stages.invitation.models import Invitation
+
+
+class InvitationCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Invitation"""
+
+    model = Invitation
+    form_class = InvitationForm
+    permission_required = "authentik_stages_invitation.add_invitation"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Invitation")
+
+    def form_valid(self, form):
+        obj = form.save(commit=False)
+        obj.created_by = self.request.user
+        obj.save()
+        return HttpResponseRedirect(self.success_url)
+
+
+class InvitationDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete invitation"""
+
+    model = Invitation
+    permission_required = "authentik_stages_invitation.delete_invitation"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Invitation")
--- a/authentik/admin/views/stages_prompts.py
+++ b/authentik/admin/views/stages_prompts.py
@ -0,0 +1,60 @@
+"""authentik Prompt administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.lib.views import CreateAssignPermView
+from authentik.stages.prompt.forms import PromptAdminForm
+from authentik.stages.prompt.models import Prompt
+
+
+class PromptCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Prompt"""
+
+    model = Prompt
+    form_class = PromptAdminForm
+    permission_required = "authentik_stages_prompt.add_prompt"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Prompt")
+
+
+class PromptUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update prompt"""
+
+    model = Prompt
+    form_class = PromptAdminForm
+    permission_required = "authentik_stages_prompt.change_prompt"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Prompt")
+
+
+class PromptDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete prompt"""
+
+    model = Prompt
+    permission_required = "authentik_stages_prompt.delete_prompt"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Prompt")
--- a/authentik/admin/views/tokens.py
+++ b/authentik/admin/views/tokens.py
@ -0,0 +1,19 @@
+"""authentik Token administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.core.models import Token
+
+
+class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete token"""
+
+    model = Token
+    permission_required = "authentik_core.delete_token"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Token")
--- a/authentik/admin/views/users.py
+++ b/authentik/admin/views/users.py
@ -0,0 +1,131 @@
+"""authentik User administration"""
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpRequest, HttpResponse
+from django.http.response import HttpResponseRedirect
+from django.shortcuts import redirect
+from django.urls import reverse_lazy
+from django.utils.http import urlencode
+from django.utils.translation import gettext as _
+from django.views.generic import DetailView, UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.forms.users import UserForm
+from authentik.admin.views.utils import DeleteMessageView
+from authentik.core.models import Token, User
+from authentik.lib.views import CreateAssignPermView
+
+
+class UserCreateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create user"""
+
+    model = User
+    form_class = UserForm
+    permission_required = "authentik_core.add_user"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created User")
+
+
+class UserUpdateView(
+    SuccessMessageMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update user"""
+
+    model = User
+    form_class = UserForm
+    permission_required = "authentik_core.change_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated User")
+
+
+class UserDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete user"""
+
+    model = User
+    permission_required = "authentik_core.delete_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted User")
+
+
+class UserDisableView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Disable user"""
+
+    object: User
+
+    model = User
+    permission_required = "authentik_core.update_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "administration/user/disable.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully disabled User")
+
+    def delete(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        self.object: User = self.get_object()
+        success_url = self.get_success_url()
+        self.object.is_active = False
+        self.object.save()
+        return HttpResponseRedirect(success_url)
+
+
+class UserEnableView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Enable user"""
+
+    object: User
+
+    model = User
+    permission_required = "authentik_core.update_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully enabled User")
+
+    def get(self, request: HttpRequest, *args, **kwargs):
+        self.object: User = self.get_object()
+        self.object.is_active = True
+        self.object.save()
+        return HttpResponseRedirect(self.success_url)
+
+
+class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Get Password reset link for user"""
+
+    model = User
+    permission_required = "authentik_core.reset_user_password"
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Create token for user and return link"""
+        super().get(request, *args, **kwargs)
+        token, __ = Token.objects.get_or_create(
+            identifier="password-reset-temp", user=self.object
+        )
+        querystring = urlencode({"token": token.key})
+        link = request.build_absolute_uri(
+            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
+        )
+        messages.success(request, _("Password reset link: %(link)s" % {"link": link}))
+        return redirect("/")
--- a/authentik/admin/views/utils.py
+++ b/authentik/admin/views/utils.py
@ -0,0 +1,63 @@
+"""authentik admin util views"""
+from typing import Any
+
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import Http404
+from django.urls import reverse_lazy
+from django.views.generic import DeleteView, UpdateView
+
+from authentik.lib.utils.reflection import all_subclasses
+from authentik.lib.views import CreateAssignPermView
+
+
+class DeleteMessageView(SuccessMessageMixin, DeleteView):
+    """DeleteView which shows `self.success_message` on successful deletion"""
+
+    success_url = reverse_lazy("authentik_core:shell")
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)
+
+
+class InheritanceCreateView(CreateAssignPermView):
+    """CreateView for objects using InheritanceManager"""
+
+    def get_form_class(self):
+        provider_type = self.request.GET.get("type")
+        try:
+            model = next(
+                x for x in all_subclasses(self.model) if x.__name__ == provider_type
+            )
+        except StopIteration as exc:
+            raise Http404 from exc
+        return model().form
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        form_cls = self.get_form_class()
+        if hasattr(form_cls, "template_name"):
+            kwargs["base_template"] = form_cls.template_name
+        return kwargs
+
+
+class InheritanceUpdateView(UpdateView):
+    """UpdateView for objects using InheritanceManager"""
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        form_cls = self.get_form_class()
+        if hasattr(form_cls, "template_name"):
+            kwargs["base_template"] = form_cls.template_name
+        return kwargs
+
+    def get_form_class(self):
+        return self.get_object().form
+
+    def get_object(self, queryset=None):
+        return (
+            self.model.objects.filter(pk=self.kwargs.get("pk"))
+            .select_subclasses()
+            .first()
+        )
--- a/passbook/admin/views/init.py
+++ b/passbook/admin/views/init.py
--- a/authentik/api/apps.py
+++ b/authentik/api/apps.py
@ -0,0 +1,12 @@
+"""authentik API AppConfig"""
+
+from django.apps import AppConfig
+
+
+class AuthentikAPIConfig(AppConfig):
+    """authentik API Config"""
+
+    name = "authentik.api"
+    label = "authentik_api"
+    mountpoint = "api/"
+    verbose_name = "authentik API"
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@ -0,0 +1,58 @@
+"""API Authentication"""
+from base64 import b64decode
+from binascii import Error
+from typing import Any, Optional, Union
+
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.request import Request
+from structlog.stdlib import get_logger
+
+from authentik.core.models import Token, TokenIntents, User
+
+LOGGER = get_logger()
+
+
+def token_from_header(raw_header: bytes) -> Optional[Token]:
+    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
+    auth_credentials = raw_header.decode()
+    # Accept headers with Type format and without
+    if " " in auth_credentials:
+        auth_type, auth_credentials = auth_credentials.split()
+        if auth_type.lower() != "basic":
+            LOGGER.debug(
+                "Unsupported authentication type, denying", type=auth_type.lower()
+            )
+            return None
+    try:
+        auth_credentials = b64decode(auth_credentials.encode()).decode()
+    except (UnicodeDecodeError, Error):
+        return None
+    # Accept credentials with username and without
+    if ":" in auth_credentials:
+        _, password = auth_credentials.split(":")
+    else:
+        password = auth_credentials
+    if password == "":  # nosec
+        return None
+    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
+    if not tokens.exists():
+        LOGGER.debug("Token not found")
+        return None
+    return tokens.first()
+
+
+class AuthentikTokenAuthentication(BaseAuthentication):
+    """Token-based authentication using HTTP Basic authentication"""
+
+    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
+        """Token-based authentication using HTTP Basic authentication"""
+        auth = get_authorization_header(request)
+
+        token = token_from_header(auth)
+        if not token:
+            return None
+
+        return (token.user, None)
+
+    def authenticate_header(self, request: Request) -> str:
+        return 'Basic realm="authentik"'
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@ -0,0 +1,32 @@
+"""Pagination which includes total pages and current page"""
+from rest_framework import pagination
+from rest_framework.response import Response
+
+
+class Pagination(pagination.PageNumberPagination):
+    """Pagination which includes total pages and current page"""
+
+    page_query_param = "page"
+    page_size_query_param = "page_size"
+
+    def get_paginated_response(self, data):
+        previous_page_number = 0
+        if self.page.has_previous():
+            previous_page_number = self.page.previous_page_number()
+        next_page_number = 0
+        if self.page.has_next():
+            next_page_number = self.page.next_page_number()
+        return Response(
+            {
+                "pagination": {
+                    "next": next_page_number,
+                    "previous": previous_page_number,
+                    "count": self.page.paginator.count,
+                    "current": self.page.number,
+                    "total_pages": self.page.paginator.num_pages,
+                    "start_index": self.page.start_index(),
+                    "end_index": self.page.end_index(),
+                },
+                "results": data,
+            }
+        )
--- a/authentik/api/templates/rest_framework/api.html
+++ b/authentik/api/templates/rest_framework/api.html
@ -0,0 +1,31 @@
+{% extends "rest_framework/base.html" %}
+
+{% block title %}{% if name %}{{ name }} – {% endif %}authentik{% endblock %}
+
+{% block branding %}
+<span class='navbar-brand'>
+    authentik
+</span>
+{% endblock %}
+
+{% block style %}
+{{ block.super }}
+<style>
+    body {
+        background-color: #18191a;
+        color: #fafafa;
+    }
+    .prettyprint {
+        background-color: #1c1e21;
+        color: #fafafa;
+        border: 1px solid #2b2e33;
+    }
+    .pln {
+        color: #fafafa;
+    }
+    .well {
+        background-color: #1c1e21;
+        border: 1px solid #2b2e33;
+    }
+</style>
+{% endblock %}
--- a/authentik/api/tests.py
+++ b/authentik/api/tests.py
@ -0,0 +1,37 @@
+"""Test API Authentication"""
+from base64 import b64encode
+
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.api.auth import token_from_header
+from authentik.core.models import Token, TokenIntents
+
+
+class TestAPIAuth(TestCase):
+    """Test API Authentication"""
+
+    def test_valid(self):
+        """Test valid token"""
+        token = Token.objects.create(
+            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
+        )
+        auth = b64encode(f":{token.key}".encode()).decode()
+        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)
+
+    def test_invalid_type(self):
+        """Test invalid type"""
+        self.assertIsNone(token_from_header("foo bar".encode()))
+
+    def test_invalid_decode(self):
+        """Test invalid bas64"""
+        self.assertIsNone(token_from_header("Basic bar".encode()))
+
+    def test_invalid_empty_password(self):
+        """Test invalid with empty password"""
+        self.assertIsNone(token_from_header("Basic :".encode()))
+
+    def test_invalid_no_token(self):
+        """Test invalid with no token"""
+        auth = b64encode(":abc".encode()).decode()
+        self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))
--- a/authentik/api/urls.py
+++ b/authentik/api/urls.py
@ -0,0 +1,8 @@
+"""authentik api urls"""
+from django.urls import include, path
+
+from authentik.api.v2.urls import urlpatterns as v2_urls
+
+urlpatterns = [
+    path("v2beta/", include(v2_urls)),
+]
--- a/authentik/api/v2/init.py
+++ b/authentik/api/v2/init.py
--- a/authentik/api/v2/config.py
+++ b/authentik/api/v2/config.py
@ -0,0 +1,47 @@
+"""core Configs API"""
+from django.db.models import Model
+from drf_yasg2.utils import swagger_auto_schema
+from rest_framework.permissions import AllowAny
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ReadOnlyField, Serializer
+from rest_framework.viewsets import ViewSet
+
+from authentik.lib.config import CONFIG
+
+
+class ConfigSerializer(Serializer):
+    """Serialize authentik Config into DRF Object"""
+
+    branding_logo = ReadOnlyField()
+    branding_title = ReadOnlyField()
+
+    error_reporting_enabled = ReadOnlyField()
+    error_reporting_environment = ReadOnlyField()
+    error_reporting_send_pii = ReadOnlyField()
+
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class ConfigsViewSet(ViewSet):
+    """Read-only view set that returns the current session's Configs"""
+
+    permission_classes = [AllowAny]
+
+    @swagger_auto_schema(responses={200: ConfigSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """Retrive public configuration options"""
+        config = ConfigSerializer(
+            {
+                "branding_logo": CONFIG.y("authentik.branding.logo"),
+                "branding_title": CONFIG.y("authentik.branding.title"),
+                "error_reporting_enabled": CONFIG.y("error_reporting.enabled"),
+                "error_reporting_environment": CONFIG.y("error_reporting.environment"),
+                "error_reporting_send_pii": CONFIG.y("error_reporting.send_pii"),
+            }
+        )
+        return Response(config.data)
--- a/authentik/api/v2/messages.py
+++ b/authentik/api/v2/messages.py
@ -0,0 +1,37 @@
+"""core messages API"""
+from django.contrib.messages import get_messages
+from django.db.models import Model
+from drf_yasg2.utils import swagger_auto_schema
+from rest_framework.permissions import AllowAny
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ReadOnlyField, Serializer
+from rest_framework.viewsets import ViewSet
+
+
+class MessageSerializer(Serializer):
+    """Serialize Django Message into DRF Object"""
+
+    message = ReadOnlyField()
+    level = ReadOnlyField()
+    tags = ReadOnlyField()
+    extra_tags = ReadOnlyField()
+    level_tag = ReadOnlyField()
+
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class MessagesViewSet(ViewSet):
+    """Read-only view set that returns the current session's messages"""
+
+    permission_classes = [AllowAny]
+
+    @swagger_auto_schema(responses={200: MessageSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """List current messages and pass into Serializer"""
+        all_messages = list(get_messages(request))
+        return Response(MessageSerializer(all_messages, many=True).data)
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@ -0,0 +1,192 @@
+"""api v2 urls"""
+from django.urls import path, re_path
+from drf_yasg2 import openapi
+from drf_yasg2.views import get_schema_view
+from rest_framework import routers
+from rest_framework.permissions import AllowAny
+
+from authentik.admin.api.metrics import AdministrationMetricsViewSet
+from authentik.admin.api.tasks import TaskViewSet
+from authentik.admin.api.version import VersionViewSet
+from authentik.admin.api.workers import WorkerViewSet
+from authentik.api.v2.config import ConfigsViewSet
+from authentik.api.v2.messages import MessagesViewSet
+from authentik.core.api.applications import ApplicationViewSet
+from authentik.core.api.groups import GroupViewSet
+from authentik.core.api.propertymappings import PropertyMappingViewSet
+from authentik.core.api.providers import ProviderViewSet
+from authentik.core.api.sources import SourceViewSet
+from authentik.core.api.tokens import TokenViewSet
+from authentik.core.api.users import UserViewSet
+from authentik.crypto.api import CertificateKeyPairViewSet
+from authentik.events.api.event import EventViewSet
+from authentik.events.api.notification import NotificationViewSet
+from authentik.events.api.notification_rule import NotificationRuleViewSet
+from authentik.events.api.notification_transport import NotificationTransportViewSet
+from authentik.flows.api.bindings import FlowStageBindingViewSet
+from authentik.flows.api.flows import FlowViewSet
+from authentik.flows.api.stages import StageViewSet
+from authentik.flows.views import FlowExecutorView
+from authentik.outposts.api.outpost_service_connections import (
+    DockerServiceConnectionViewSet,
+    KubernetesServiceConnectionViewSet,
+    ServiceConnectionViewSet,
+)
+from authentik.outposts.api.outposts import OutpostViewSet
+from authentik.policies.api import PolicyBindingViewSet, PolicyViewSet
+from authentik.policies.dummy.api import DummyPolicyViewSet
+from authentik.policies.event_matcher.api import EventMatcherPolicyViewSet
+from authentik.policies.expiry.api import PasswordExpiryPolicyViewSet
+from authentik.policies.expression.api import ExpressionPolicyViewSet
+from authentik.policies.group_membership.api import GroupMembershipPolicyViewSet
+from authentik.policies.hibp.api import HaveIBeenPwendPolicyViewSet
+from authentik.policies.password.api import PasswordPolicyViewSet
+from authentik.policies.reputation.api import (
+    IPReputationViewSet,
+    ReputationPolicyViewSet,
+    UserReputationViewSet,
+)
+from authentik.providers.oauth2.api import OAuth2ProviderViewSet, ScopeMappingViewSet
+from authentik.providers.proxy.api import (
+    ProxyOutpostConfigViewSet,
+    ProxyProviderViewSet,
+)
+from authentik.providers.saml.api import SAMLPropertyMappingViewSet, SAMLProviderViewSet
+from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
+from authentik.sources.oauth.api import OAuthSourceViewSet
+from authentik.sources.saml.api import SAMLSourceViewSet
+from authentik.stages.authenticator_static.api import AuthenticatorStaticStageViewSet
+from authentik.stages.authenticator_totp.api import AuthenticatorTOTPStageViewSet
+from authentik.stages.authenticator_validate.api import (
+    AuthenticatorValidateStageViewSet,
+)
+from authentik.stages.authenticator_webauthn.api import AuthenticateWebAuthnStageViewSet
+from authentik.stages.captcha.api import CaptchaStageViewSet
+from authentik.stages.consent.api import ConsentStageViewSet
+from authentik.stages.deny.api import DenyStageViewSet
+from authentik.stages.dummy.api import DummyStageViewSet
+from authentik.stages.email.api import EmailStageViewSet
+from authentik.stages.identification.api import IdentificationStageViewSet
+from authentik.stages.invitation.api import InvitationStageViewSet, InvitationViewSet
+from authentik.stages.password.api import PasswordStageViewSet
+from authentik.stages.prompt.api import PromptStageViewSet, PromptViewSet
+from authentik.stages.user_delete.api import UserDeleteStageViewSet
+from authentik.stages.user_login.api import UserLoginStageViewSet
+from authentik.stages.user_logout.api import UserLogoutStageViewSet
+from authentik.stages.user_write.api import UserWriteStageViewSet
+
+router = routers.DefaultRouter()
+
+router.register("root/messages", MessagesViewSet, basename="messages")
+router.register("root/config", ConfigsViewSet, basename="configs")
+
+router.register("admin/version", VersionViewSet, basename="admin_version")
+router.register("admin/workers", WorkerViewSet, basename="admin_workers")
+router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
+router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
+
+router.register("core/applications", ApplicationViewSet)
+router.register("core/groups", GroupViewSet)
+router.register("core/users", UserViewSet)
+router.register("core/tokens", TokenViewSet)
+
+router.register("outposts/outposts", OutpostViewSet)
+router.register("outposts/service_connections/all", ServiceConnectionViewSet)
+router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
+router.register(
+    "outposts/service_connections/kubernetes", KubernetesServiceConnectionViewSet
+)
+router.register("outposts/proxy", ProxyOutpostConfigViewSet)
+
+router.register("flows/instances", FlowViewSet)
+router.register("flows/bindings", FlowStageBindingViewSet)
+
+router.register("crypto/certificatekeypairs", CertificateKeyPairViewSet)
+
+router.register("events/events", EventViewSet)
+router.register("events/notifications", NotificationViewSet)
+router.register("events/transports", NotificationTransportViewSet)
+router.register("events/rules", NotificationRuleViewSet)
+
+router.register("sources/all", SourceViewSet)
+router.register("sources/ldap", LDAPSourceViewSet)
+router.register("sources/saml", SAMLSourceViewSet)
+router.register("sources/oauth", OAuthSourceViewSet)
+
+router.register("policies/all", PolicyViewSet)
+router.register("policies/bindings", PolicyBindingViewSet)
+router.register("policies/expression", ExpressionPolicyViewSet)
+router.register("policies/event_matcher", EventMatcherPolicyViewSet)
+router.register("policies/group_membership", GroupMembershipPolicyViewSet)
+router.register("policies/haveibeenpwned", HaveIBeenPwendPolicyViewSet)
+router.register("policies/password_expiry", PasswordExpiryPolicyViewSet)
+router.register("policies/password", PasswordPolicyViewSet)
+router.register("policies/reputation/users", UserReputationViewSet)
+router.register("policies/reputation/ips", IPReputationViewSet)
+router.register("policies/reputation", ReputationPolicyViewSet)
+
+router.register("providers/all", ProviderViewSet)
+router.register("providers/proxy", ProxyProviderViewSet)
+router.register("providers/oauth2", OAuth2ProviderViewSet)
+router.register("providers/saml", SAMLProviderViewSet)
+
+router.register("propertymappings/all", PropertyMappingViewSet)
+router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
+router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
+router.register("propertymappings/scope", ScopeMappingViewSet)
+
+router.register("stages/all", StageViewSet)
+router.register("stages/authenticator/static", AuthenticatorStaticStageViewSet)
+router.register("stages/authenticator/totp", AuthenticatorTOTPStageViewSet)
+router.register("stages/authenticator/validate", AuthenticatorValidateStageViewSet)
+router.register("stages/authenticator/webauthn", AuthenticateWebAuthnStageViewSet)
+router.register("stages/captcha", CaptchaStageViewSet)
+router.register("stages/consent", ConsentStageViewSet)
+router.register("stages/deny", DenyStageViewSet)
+router.register("stages/email", EmailStageViewSet)
+router.register("stages/identification", IdentificationStageViewSet)
+router.register("stages/invitation/invitations", InvitationViewSet)
+router.register("stages/invitation/stages", InvitationStageViewSet)
+router.register("stages/password", PasswordStageViewSet)
+router.register("stages/prompt/prompts", PromptViewSet)
+router.register("stages/prompt/stages", PromptStageViewSet)
+router.register("stages/user_delete", UserDeleteStageViewSet)
+router.register("stages/user_login", UserLoginStageViewSet)
+router.register("stages/user_logout", UserLogoutStageViewSet)
+router.register("stages/user_write", UserWriteStageViewSet)
+
+router.register("stages/dummy", DummyStageViewSet)
+router.register("policies/dummy", DummyPolicyViewSet)
+
+info = openapi.Info(
+    title="authentik API",
+    default_version="v2",
+    contact=openapi.Contact(email="hello@beryju.org"),
+    license=openapi.License(
+        name="GNU GPLv3", url="https://github.com/BeryJu/authentik/blob/master/LICENSE"
+    ),
+)
+SchemaView = get_schema_view(
+    info,
+    public=True,
+    permission_classes=(AllowAny,),
+)
+
+urlpatterns = [
+    re_path(
+        r"^swagger(?P<format>\.json|\.yaml)$",
+        SchemaView.without_ui(cache_timeout=0),
+        name="schema-json",
+    ),
+    path(
+        "swagger/",
+        SchemaView.with_ui("swagger", cache_timeout=0),
+        name="schema-swagger-ui",
+    ),
+    path("redoc/", SchemaView.with_ui("redoc", cache_timeout=0), name="schema-redoc"),
+    path(
+        "flows/executor/<slug:flow_slug>/",
+        FlowExecutorView.as_view(),
+        name="flow-executor",
+    ),
+] + router.urls
--- a/passbook/audit/migrations/init.py
+++ b/passbook/audit/migrations/init.py
--- a/authentik/core/admin.py
+++ b/authentik/core/admin.py
@ -0,0 +1,20 @@
+"""authentik core admin"""
+
+from django.apps import AppConfig, apps
+from django.contrib import admin
+from django.contrib.admin.sites import AlreadyRegistered
+from guardian.admin import GuardedModelAdmin
+
+
+def admin_autoregister(app: AppConfig):
+    """Automatically register all models from app"""
+    for model in app.get_models():
+        try:
+            admin.site.register(model, GuardedModelAdmin)
+        except AlreadyRegistered:
+            pass
+
+
+for _app in apps.get_app_configs():
+    if _app.label.startswith("authentik_"):
+        admin_autoregister(_app)
--- a/passbook/captcha_factor/migrations/init.py
+++ b/passbook/captcha_factor/migrations/init.py
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -0,0 +1,126 @@
+"""Application API Views"""
+from django.core.cache import cache
+from django.db.models import QuerySet
+from django.http.response import Http404
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.decorators import action
+from rest_framework.fields import SerializerMethodField
+from rest_framework.generics import get_object_or_404
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter
+from structlog.stdlib import get_logger
+
+from authentik.admin.api.metrics import get_events_per_1h
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.models import Application
+from authentik.events.models import EventAction
+from authentik.policies.engine import PolicyEngine
+
+LOGGER = get_logger()
+
+
+def user_app_cache_key(user_pk: str) -> str:
+    """Cache key where application list for user is saved"""
+    return f"user_app_cache_{user_pk}"
+
+
+class ApplicationSerializer(ModelSerializer):
+    """Application Serializer"""
+
+    launch_url = SerializerMethodField()
+    provider = ProviderSerializer(source="get_provider", required=False)
+
+    def get_launch_url(self, instance: Application) -> str:
+        """Get generated launch URL"""
+        return instance.get_launch_url() or ""
+
+    class Meta:
+
+        model = Application
+        fields = [
+            "pk",
+            "name",
+            "slug",
+            "provider",
+            "launch_url",
+            "meta_launch_url",
+            "meta_icon",
+            "meta_description",
+            "meta_publisher",
+            "policies",
+        ]
+
+
+class ApplicationViewSet(ModelViewSet):
+    """Application Viewset"""
+
+    queryset = Application.objects.all()
+    serializer_class = ApplicationSerializer
+    search_fields = [
+        "name",
+        "slug",
+        "meta_launch_url",
+        "meta_description",
+        "meta_publisher",
+    ]
+    lookup_field = "slug"
+    ordering = ["name"]
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectPermissionsFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def _get_allowed_applications(self, queryset: QuerySet) -> list[Application]:
+        applications = []
+        for application in queryset:
+            engine = PolicyEngine(application, self.request.user, self.request)
+            engine.build()
+            if engine.passing:
+                applications.append(application)
+        return applications
+
+    def list(self, request: Request) -> Response:
+        """Custom list method that checks Policy based access instead of guardian"""
+        queryset = self._filter_queryset_for_list(self.get_queryset())
+        self.paginate_queryset(queryset)
+
+        should_cache = request.GET.get("search", "") == ""
+
+        allowed_applications = []
+        if not should_cache:
+            allowed_applications = self._get_allowed_applications(queryset)
+        if should_cache:
+            LOGGER.debug("Caching allowed application list")
+            allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
+            if not allowed_applications:
+                allowed_applications = self._get_allowed_applications(queryset)
+                cache.set(
+                    user_app_cache_key(self.request.user.pk),
+                    allowed_applications,
+                    timeout=86400,
+                )
+        serializer = self.get_serializer(allowed_applications, many=True)
+        return self.get_paginated_response(serializer.data)
+
+    @action(detail=True)
+    def metrics(self, request: Request, slug: str):
+        """Metrics for application logins"""
+        app = get_object_or_404(
+            get_objects_for_user(request.user, "authentik_core.view_application"),
+            slug=slug,
+        )
+        if not request.user.has_perm("authentik_events.view_event"):
+            raise Http404
+        return Response(
+            get_events_per_1h(
+                action=EventAction.AUTHORIZE_APPLICATION,
+                context__authorized_application__pk=app.pk.hex,
+            )
+        )
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`<ak-codemirror mode="{{ widget.attrs.mode }}"><textarea class="pf-c-form-control" name="{{ widget.name }}">{% if widget.value %}{{ widget.value }}{% endif %}</textarea></ak-codemirror>`